Easing the administrative burden of GDPR

Image result for Easing the administrative burden of GDPR

GDPR is now in full effect, seeing the biggest data protection legislation change since the 1998 Data Protection Act. Businesses from the mighty to the small have hit the headlines in the time since the legislation became enforced, from Facebook and Cambridge Analytica’s data scandal receiving a fine of only £500,000 because it happened prior to the deadline, to Ticketmaster’s hack that could have breached GDPR reporting deadline.

Businesses in the UK and across Europe are still grappling with how to achieve GDPR compliance despite the deadline having passed. In February, only three months before the enforcement of the General Data Protection Regulation, 60% of businesses stated they weren’t ‘GDPR ready’ (Populus). This month, ICSA: The Governance Institute found that 4 in 5 businesses see GDPR as a drain on resources.

This fits with another survey conducted pre-GDPR, which found that complying with GDPR subject access requests alone would take 172 hours a month for small-to-medium-sized businesses, rising to a staggering 1259 hours per month for larger enterprises (defined as having over 250 employees). This equated to one employee solely dedicated to the task (smaller businesses) or 7.5 employees (larger enterprises).

This time is calculated based on the number of subject access requests businesses are expected to receive. For the companies at the smaller end of the scale, 89 enquiries a month are expected. From that, employees will search an average of 23 databases to look for the subject’s Personally Identifiable Information (PII), with each search taking an average of 7 minutes.

Staggeringly, big businesses are expected to receive 246 subject access requests a month, which equates to the 1259 hours a month figure. Much of this time comes from manual, error-prone processes that could be automated, or at least streamlined. There is an alternative.

That alternative is a cloud document management solution.

SharePoint has long been hailed as the ultimate electronic document management system. And as Microsoft continues to evolve Office 365, which has many apps built upon a solid SharePoint foundation, its capabilities have only grown stronger. Importantly, SharePoint Online is a cloud-based solution that is accessible anytime, anywhere, offering businesses mobility; essential in the digital-first world.

One of SharePoint’s key features since day one has been an unrivalled searchability, or more commonly-termed ‘findability’, functionality. Providing documents are saved in SharePoint, it doesn’t matter whereabouts the document is – you can find it with a simple search. SharePoint’s findability has been likened loosely to Google’s search, so powerful is its internal search engine. Saving all documents in a SharePoint environment, which would be a requirement of having a document management solution in place, means any documentation with a subject’s personal information would be instantly returned.

In terms of regulatory requirements, SharePoint allows users to set a high variety of policies, from large global policies to ones specifically related to certain documentation. In light of GDPR, a key example is a personal information policy, whereby you can dictate that any documentation that holds personal information – like full names, email addresses, phone numbers or even financial information –cannot be shared outside of your organisation. At the moment someone tries to share this document, SharePoint scans it for the criteria, in this case personal information, and blocks the sharing of the document; this safeguards against the inappropriate sharing of sensitive customer or employee information.

Process improvements can also be made in the SharePoint environment. The revision of policies and processes is a key tenant of the GDPR, in particular policies related to data processing and retention. It’s vital to cascade these policies to employees to ensure GDPR compliance is embedded in your company culture. SharePoint allows you to give access to policy documentation to all employees, and track once they’ve consumed the information. Notifications can be triggered once a document is read, or if employees miss the deadline. SharePoint can even be used as an online Learning Management System (LMS), with policies added to courses that have a quiz to pass to ensure the information is taken on board.

Importantly, with SharePoint you’ll always be working on a single version of the truth. Functionalities like version control and audit history allow multiple stakeholders to work on the same document – even at the same time with the cloud-based SharePoint Online – without losing important updates to the document.

GDPR is proving to be laborious to businesses only two months after its advent. The ICSA: The Governance Institute survey also found that businesses have hired more staff or external providers to ease the burden, but this is proving costly. Businesses must look to other means to reduce the strain on already-overstretched resources. Implementing an electronic document management system – or utilising an existing one, which will likely be the case for specific sectors like housing and legal – is one of the most viable options, significantly reducing time spent on complying with subject access requests and securely managing documentation with personal information.


Natasha Bougourd is Lead Applications Writer at TSG, specialising in IT support, Office 365, GDPR and business intelligence.

TSG is an IT support company that has expertise across a wide range of technologies, from Office 365 to Sage and Pegasus ERP solutions to IT support, infrastructure and cyber-security solutions. Holding 8 Microsoft Gold competencies, TSG places focus on a highly-skilled and qualified workforce with over 1000 recognised accreditations between its team of experts, including MSCE Certifications, Prince2 and ITIL qualifications. Read more from TSG, on their blog: here