Understanding the risks - the four key areas
Many of our Twofold customers ask us how we can help them meet their GDPR requirements. The good news is that the same set of solutions that you use to make your processes more efficient can also be used to help you meet the regulations. First of all, we should state that we are not lawyers, and our advice is meant to augment your own policies and procedures, but you will need to take a view on your own processes.
To make understanding the risks simpler, I am going to breakdown risks into 4 key areas; benchmarking your processes, reducing risk on inbound documents and data, automating the compliance process with continual forensic investigation and ensuring your outbound communications don’t let you down.
One of the greatest challenges faced by any organisation is real time mapping of their processes, and understanding their effectiveness. Many man years of effort, and huge amounts of IT effort have been thrown at this issue, but if your processes span multiple systems, then getting a true representation of how efficient you are - and where the compliance risks exist - has become almost impossible. Even with modern “easy” to use BI tools like Qlik, Power BI, or Tableau the task of understanding your processes is incredibly hard. The main reason for this is that you need to know where the problems are so you can investigate, write reports, and delve into your metrics and data. Twofold take a unique approach - we take transactional logs, and within a few seconds show your processes, bottlenecks, and issues immediately. This same tool can be used to identify and search out any GDPR compliance issues, especially where transactions span multiple systems.
Our approach is simple and pragmatic we review all inbound documents and data whether electronic or on paper and ensure you do not expose yourself to risk.
The Inbound Risk
Most traditional approaches to staying compliant with GDPR start with reviewing your internal systems and processes, and whilst this is of course essential, it often misses a key risk. Documents and data arrive at your organisation from multiple channels and unless you are monitoring all of these for breaches then you are at risk. Ask yourself a simple question - 'What single system do we have that monitors all inbound emails, documents, post, internal scanners and MFDs, web traffic, and even faxes?' The answer if often - nothing. Twofold have a single platform to automate the capture of information and documents from any source, then check it for any compliance risk including GDPR. The primary use for this tool is to automate your processes, and we span the physical mail room where our letter openers and scanners are used to digitise documents and capture data and information automatically. But typically, the majority of information is now coming in electronically, and our same solution can monitor all inbound documents and data and identify risks.
One of the greatest challenges of GDPR is that you have to disclose all information you hold on individuals if requested to do so. Firstly, have you got a process in place to perform this task, and secondly how can you ensure that every digital artefact is disclosed? Can you guarantee that all data in your organisation is being monitored? Is every local drive of every desktop, laptop and server being scanned for compliance risks? More importantly, what data time bombs exist in your email trails across the whole organisation?
Just imagine this simple scenario - as part of your employee or customer onboarding process you need to validate information by requesting a copy of a driving license or passport (or any other document). Your team either ask for a copy to be emailed, or take a scan from the document. These documents contain a vast array of potentially non-compliant information not needed by your organisation. But if you have scanned a copy, or had a copy sent in then, the document might be an image file like a tif, or pdf. How can you scan every image you store for non-compliant data artefacts? Twofold can search every location of your organisation and read image files for potentially damaging information - we can flag up issues or redact them out. Our software robots work 24/7 to hunt your organisation for compliance risks (either GDPR or any other), and alert you when an issue is discovered.
Any chain is only as strong as the weakest link. Just imagine you have the most rigorous internal controls and have routed out every potential GDPR risk in your organisation but when you come to send a letter out in the post a simple accident takes a letter or part of a letter and puts it in the wrong envelope. If you have automated envelope filling machines, how can you ensure that all of the contents are correct and that a single mistake can’t happen?
You will know who you write to and the sensitivity of that data. At Twofold we have a comprehensive approach encompassing hardware and software to ensure mistakes can’t happen.
Our view on GDPR approaches it from a unique angle and many people we speak to haven’t considered all the issues present with their inbound and outbound document processes and Twofold are here to help. We don’t scare people with GDPR rules and penalties but instead offer practical common-sense advice which will keep you compliant.
Digital Transformation expert