Achieving data protection compliance with document management systems (DMS)
Businesses that operate in member states of the European Union (EU) and deal with large volumes of personal data are required to adhere to the guidelines provided by the EU’s Data Protection Directive1. This case study sets out to determine what the guidelines entail, and how Document Management Systems (DMS) can help businesses meet them.
The protection of personal data is clearly stated as being a universal right in the Treaty on the functioning of the European Union (article 16)2. According to the Treaty, everybody has the right to the protection of personal data concerning them – this fundamental right is also recognised in Article 8 of the Charter of Fundamental Rights of the European Union3.
In view of the differences of data protection laws across the EU, especially the lack of data protection laws in some Member States, action was needed at the European level because the differences could have created potential obstacles to the free flow of information. The need to remove these resulted in harmonising national provisions in this field4 – and, to date, all EU Member States have implemented this Directive into national law.
For businesses, the Directive applies to data processed by automated means (e.g. computer databases) and to data that is part of non-automated filing systems in which they are accessible according to specific criteria.
In order to address the challenges, the Commission set out the Data Protection Directive, which outlines key aspects of processing personal data to ensure privacy, while still enabling the EU to meet other objectives such as a high level of health protection.
To help conform with this Directive, a DMS is recommended to provide a business with certain physical improvements, alongside robust security measures.
Exploring the features of DMS
As well as providing businesses with a new and efficient workflow system, Document Management Systems (DMS) offer many useful features that can improve compliance with the EU’s Data Protection Directive:
DMS features that aid in the confidentiality of data
- Encryption – Converts readable data into disjointed letters and symbols that cannot be meaningfully deciphered without a secret mathematical key.
- Access control – Enables central system administrators to allow/disallow access to data; the most common type of access control is role-based, where an administrator allows access to records based on the individual’s job role.
- Authentication – Ensures that a person attempting to access data is who they say they are; the most common type of human authentication is a password, but other, stronger authentication methods include two-factor and three-factor iterations.
- Redaction and data splitting – Digitised documents can be more easily split and redacted while in a DMS. Credit card information can therefore be split by information sets, such as “numbers only” or “name and numbers” based on which employee is accessing the database.
DMS features that aid in maintaining the integrity of data
- Digital signatures – A type of authentication that, unlike passwords, helps maintain the integrity rather than the confidentiality of data.
- Checksums – A mathematical method to ensure that data has been in no way modified, intentionally or by accident.
DMS features that aid in maintaining the availability of data
- Data backup – A critical functionality that enables organisations to recover from, and continue operating in, the event of a disaster.
- Data retention – A company’s biggest issue after the integration of a DMS into basic workflows is no longer the system itself, it is the retention of data – not just in terms of upkeep, but when retaining it is no longer an option. E.g. the human resources records of past employees.
Further benefits of a DMS
- Cost savings – Transitioning to the digital management of documentation introduces numerous opportunities for cost savings, from decreasing the physical space required to store paper records to automating tedious tasks.
- Process efficiencies – A DMS helps to eliminate many repetitive manual tasks required to maintain paper documentation (such as advanced workflow integration), in turn freeing staff to focus on more important duties.
- Improved client relations – A DMS helps businesses be more responsive to clients (faster communications), which improves the overall quality of service by ensuring the right people have quick access to relevant documents.
What to consider when deploying a DMS
Transitioning from a predominantly paper-based documentation system to one that achieves the full benefits of digital document management can be challenging. Although a DMS’s advantages are clear, many companies hesitate to adopt one because of the perceived complexity.
Here’s what you should consider in order to achieve an orderly and efficient DMS deployment:
Encryption – This should be strong enough to withstand malicious individuals’ attempts to brute-force crack into a system, which involves attempting to guess every possible combination of the encryption’s mathematical key. To ensure the confidentiality of data, DMS should offer the Advanced Encryption Standard (AES) with a minimum key length of 128 bits.
Access Control – Of the numerous types of access control models, the most common is role-based. This enables a central system administrator to allow/disallow individuals to access full or partial information based on their roles and purpose. This is probably the most efficient type of access control to implement.
Authentication (for data confidentiality) – Single factor authentication is robust and remains one of the easiest and most affordable authentication schemes. However, it can be made more secure by implementing two-factor authentication. This requires users to authenticate themselves by providing something they know (e.g. a password) in addition to something they possess, such as a time-sensitive code sent to their mobile telephone. A DMS supporting this therefore provides stronger protection.
Authentication (for data integrity) – Some DMSs support digital signatures for both the transmission of data, and the facilitation of authentic electronic signatures. This feature adds a layer of security to a business process that can significantly improve the efficiency of a common task.
On-site versus cloud backup – This continues to be one of the hottest topics of debate in the security community: is data safer when stored on site or in the cloud? The truth is, each has its inherent advantages and disadvantages, and effectiveness depends on the security model. Selecting a DMS that offers both options is wise. After all, businesses change, and requirements evolve.
Audit support – A DMS should provide adequate audit support features. Examples include audit tracking, which logs every modification to files made by users or the system; and document retention, which allows users to set an expiration date for storing files. Such features can reduce manual processes.
Hardware (scanner) – All of the features above apply to the software piece of the DMS. But hardware, particularly the scanner, is an equally important aspect. In evaluating scanners, consider the speed and quality of scanning, as well as its reliability and how easily it integrates with the DMS software.
The three-step DMS integration plan
Now you’ve seen what to consider when deploying a DMS, the next step is its integration – and making it as successful as possible. Here are our three steps to ensuring that transitioning from a paper-based environment to a digital one is as smooth as possible:
- Think holistically about the business environment during planning – DMS is primarily a technological solution, but people and processes impact its implementation. Consider how the deployment of a DMS will affect existing processes and how it will impact staff roles and responsibilities. Organisations that evaluate their environments holistically, taking time to document the current state (without a DMS) versus the future state (with a DMS) operations, are more likely to select an optimal DMS and achieve specific goals following its deployment. Take care to also think about where data is ingested by your business, and plan your integration around these key areas.
- Develop a phased transition plan – The transition from paper to digital can be implemented on a gradual basis during the course of day-to-day operations. The transition must not occur all at once. For example, you could lay out a plan to conduct batch conversions from paper to electronic records during the course of your regular billing cycle, or request a plan that involves converting paper records into digital formats. It could take one or two years for you to complete the transition at this pace, but the approach can be more efficient by integrating record scans into normal workflow activities, versus treating the activity as separate projects. It would just require implementing a new process and modification of one or more existing staff roles.
Alternatively, the transition could be phased according to milestones or volumes rather than events. For instance, using a document scanner capable of scanning from 45 to 65 pages per minute (ppm), you can convert 4,500 to 6,500 records from paper to electronic format per day. Depending on the size and complexity of your business environment, such an approach could make more sense.
- Plan for staff training – Deploying a DMS and implementing its use into daily workflow requires training. All of the security features are useless if staff are not trained how to properly configure and operate the technology. Evaluate the vendors’ training, as well as on-going technical support, as part of the buying process.
Through diligent product evaluation, careful organisational planning, and a logical phased approach, you can achieve an orderly and efficient transition from paper-based to digital working environments.
Why are scanners essential to DMS?
Scanners are where physical information becomes manageable, secure digital content. A reliable, multifunctional scanner is able to easily capture, convert and distribute scanned information within your organisation – enabling you to seamlessly integrate high-quality images from simple document filing systems to cloud services and enterprise content management solutions.
Scanners that significantly cut the steps required to capture and store documents – while supporting a wide range of applications across numerous sectors and business environments – form the basis of an efficient workflow. Whether you’re scanning images as small as a stamp, or as large as an A0 blueprint, it’s well worth having a scanner that can capture every aspect in high resolution, and reproduce them on almost any scale.
Why you need a flexible, purpose-built solution
The documents you work with will determine the scanning hardware you choose. For example, your business may deal with large volumes of forms and applications that initiate crucial business processes. Therefore, you need to choose a purpose-built document scanner capable of dealing with various media thicknesses and documents comprised of many pages.
Purpose-built solutions, capable of scanning cheques and dealing with transparencies, are key in industries that work with acetates – such as those used by engineers on structural blueprint overlays, or X-rays for use in insurance case files. The benefit of such purpose-built scanning devices is that users will always have peace-of-mind that they are using the right tool for the job.
Multi-function print/scan devices also present an interesting proposition to companies looking to invest in future-proof business solutions. On the one hand, they are designed to print high volumes, at high speeds, at high quality, and on the other they also feature an integrated scanner – users can therefore scan documents on receipt, and print them on demand, all with one device.
The choice of hardware is just as important as making the choice to move to a digital document management system. The right scanners are the pathway to achieving a level of quality and efficiency in the digitisation of your documents, and so choosing the right ones must be a planning phase all of its own.
To find out more about business scanners, visit www.epson.eu/business-scanner-range
1 For more information, please visit: http://ec.europa.eu/justice/data-protection/
2 For more information, please visit: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012E/TXT
3 For more information, please visit: http://www.europarl.europa.eu/charter/pdf/text_en.pdf
4 For more information, please visit: http://ec.europa.eu/justice/policies/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf