NetDocuments and GDPR

QUICK FACTS2017

GDPR – What is it?

The General Data Protection Regulation (GDPR) protects the rights persons in the European Union have regarding their personal data, how their personal data is processed and how their personal data moves inside and outside of the EU. The regulation was passed April 27, 2016 and goes into effect May 25, 2018.

Why is the GDPR Important?

The GDPR regulates entities inside or outside the EU which process the personal data of persons in the EU. Processing includes international transfers of personal data. The GDPR imposes fines of up to €20,000,000 (approximately $23,600,000) or up to 4% of the world-wide revenue of an entity’s preceding financial year, whichever is higher, for controller or processor violations of its regulations.

What does the GDPR regulate?

The GDPR defines four terms which are points of focus in the regulation:

The GDPR regulates how controllers and processors may process and move the personal data of persons in the EU. Under these definitions, law firms and other organisations which use the NetDocuments Service are controllers and NetDocuments is a processor. The NetDocuments Document Management Service (DMS or “Service”) processes documents for controllers and some or many of those documents may contain personal data.

PERSONAL DATA

“means any information relating to an identified or identifiable natural person

(‘data subject’);”

PROCESSING

“means any operation… performed on personal data… such as collection, recording,

organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use…;”

CONTROLLER

“means the natural or legal person, public authority,

agency or other body which… determines the purposes and means of

the processing of personal data.”

PROCESSOR

“means a natural or legal person, public authority,

agency or other body which processes personal data on

behalf of the controller.”

How does the GDPR regulate transfers to Third Countries?

In addition to mandating compliance with the processing principles and the data subject rights listed above, the GDPR requires that transfers to countries outside of the EU may only take place if one of the following provisions is met:

AN ADEQUACY DECISION has been made by the EU Commission that the destination country ensures adequate protection of personal data; or

APPROPRIATE SAFEGUARDS have been put in place by the controller or processor. Appropriate safeguards may include:

A. a legally binding and enforceable instrument between public authorities;

B. binding corporate rules approved by a competent supervisory authority;

C. standard data protection clauses adopted by the Commission;

D. standard data protection clauses adopted by a supervisory authority and approved by the Commission;

E. an approved code of conduct and binding and enforceable commitments; or

F. an approved certification mechanism and binding and enforceable commitments.

What does the GDPR require?

The regulation identifies six principles for how personal data shall be processed and guarantees eleven rights of data subjects:

In order to comply with the GDPR a controller must meet the principles for processing personal data and must honor the rights of data subjects.

RIGHTS OF DATA SUBJECTS

ARTICLE 12. Right to transparent information, communication and modalities

ARTICLE 15. Right of access by the data subject

PRINCIPLES FOR PROCESSING PERSONAL DATA

ARTICLE 5A.Processed lawfully, fairly and in a transparent manner

ARTICLE 5C.Adequate, relevant and limited to what is necessary

ARTICLE 5B.Collected for specified, explicit and legitimate purpose

ARTICLE 5D. Accurate and kept up to date

ARTICLE 5E. Kept no longer than necessary

ARTICLE 5F. Kept securely

ARTICLE 16. Right to rectification

ARTICLE 17. Right to erasure (‘right to be forgotten’)

ARTICLE 18. Right to restriction of processing

ARTICLE 19. Right of notification regarding rectification or erasure or restriction

ARTICLE 20. Right to data portability

ARTICLE 21. Right to object

ARTICLE 22. Right to refuse automated decision-making, including profiling

ARTICLE 13. Right to know where personal data are collected from the data subject

ARTICLE 14. Right to know where personal data have not been obtained from the data subject

How does NetDocuments (a processor) comply with the GDPR?

On July 12, 2016 the EU Commission issued an Adequacy Decision based on EU Directive 95/46/EC (the EU Data Protection Directive or DPD) stating that the US Privacy Shield program provides adequate safeguards for the transfer of personal data from the EU into the US. A US entity which wishes to comply with the DPD-based Adequacy Decision must be certified under the Privacy Shield Program. The US Privacy Shield Adequacy Decision shall remain in force under the GDPR until it is either replaced or ruled invalid. The NetDocuments Service is currently certified under the US Privacy Shield Program, meaning NetDocuments currently meets DPD data transfer requirements and will meet the GDPR requirements (until such time when they may be changed) and may facilitate a controller’s transfer of personal data to the US.

As other Appropriate Safeguards become available, NetDocuments will actively evaluate those options and work to implement those which provide the most value and protection to NetDocuments and its customers.

The NetDocuments Service is designed and operated so that all customer (controller) documents, including documents which may contain personal data, are kept completely private and secure, both at rest and in transit. NetDocuments personnel have no knowledge as to the type or contents of customer (controller) documents. Because of this, the principles for processing personal data and the rights of data subjects are not directly applicable to NetDocuments. Instead, NetDocuments becomes a primary service enabling controllers to comply with these core GDPR requirements.

How does NetDocuments help customers (controllers) comply with the GDPR?

The GDPR principles define standards for how controllers are to process personal data. The NetDocuments Service provides tools and functions which directly assist controllers in securely complying with many of these requirements.

The GDPR also identifies rights given to data subjects. The NetDocuments Service becomes a secure and convenient way for controllers to assist in honoring and maintaining those rights.

The table on the following page lists key actionable articles in the GDPR, identifies the regulated activity in the article and illustrates the level of responsibility controllers and NetDocuments (a processor) have or do not have for the listed activity.

NetDocuments also provides a compliant solution for moving documents which may contain personal data between the US and the EU. Through its current adoption of the US Privacy Shield standards and its commitment to embrace future Appropriate Safeguards, NetDocuments gives customers (controllers) a powerful, centralised application to securely and privately manage documents from around the globe, including documents in the EU.

NetDocuments is your best path to GDPR Compliance

No other products on the market today offer all of the features found in NetDocuments, including:

Global document management

Comprehensive functionality

meeting most GDPR compliance requirements

Comprehensive security and encryption

with customer managed encryption keys

Highest-in-industry user adoption

Industry leading ease-of-deployment and

ease-of-use

Contact a NetDocuments Representative

to learn more about how NetDocuments can become your primary GDPR solution.

Continue to view the GDRP Sections and NetDocuments

Processing

GDPR Sections and NetDocuments ProcessingGDPR REGULATED CONTROLLER ND (PROCESSOR) ND ARTICLE ACTIVITY RESPONSIBLE RESPONSIBLE PRODUCTS

3(2)(a) Offering goods & services to data subject Yes Support DMS3(2)(b) Monitoring data subject behavior within EU Yes No n/a3(3) Processing by Controllers outside EU Yes Yes DMS5(1)(a), 6 Lawful, fair & transparent processing Yes Yes DMS5(1)(b) Data collection purpose limitation Yes Support DMS5(1)(b) Data archiving purpose limitation Yes Yes DMS, DRM5(1)(c) Personal data minimisation Yes No n/a5(1)(d) Personal data accuracy Yes Support DMS5(1)(e) Personal data storage period limitation Yes DOCS DMS5(1)(e) Personal data archiving safeguards Yes DOCS DMS5(1)(f) Processingintegrity&confidentiality Yes Yes DMS5(2) Accountability for compliance with GDPR Yes Yes DMS, Compliance7(1) Obtaining & demonstrating consent Yes No n/a7(2) Consent uses clear & plain language Yes No n/a7(3) Easy for data subject to withdraw consent Yes Support DMS7(4) Requiring consent when not necessary Yes No n/a8(1) Obtaining parental consent for children Yes No n/a8(2) Verifying validity of parental consent Yes No n/a9(1) & (2) Revealing special categories of personal data Yes Yes DMS9(1) & (2) Uniquely identifying persons or special data Yes Yes DMS10 Processing criminal conviction data Yes Support DMS12(1) SAR responses in clear & plain language Yes DOCS DMS12(2) FacilitatingSARs&auto-profilingoptout Yes Support DMS12(3) & (4) SAR responses without undue delay Yes No n/a12(3) SAR responses by electronic means Yes Support DMS12(5) Charging for SAR responses Yes No n/a12(6) Requesting additional info for SAR responses Yes No n/a12(7) & (8) Providing icons in SAR responses Yes No n/a13(1) & (2) SAR response details (direct collection) Yes Support DMS13(3) & 14(4) Disclosure of further processing details Yes Support Compliance14(1) & (2) SAR response details (indirect collection) Yes Support DMS14(3) SAR response (indirect collection) time limits Yes No n/a15(1) Right of access to personal data Yes Support DMS15(2) Right of being informed of third country transfer Yes Support Compliance16 Righttorectification(correctionofinaccuracies) Yes Support DMS17 Right to erasure (‘right to be forgotten’) Yes Support DMS18 Right to restriction of processing Yes Support DMS19 RighttoNotificationaboutrectificationorerasure Yes Support DMS20 Right to data portability Yes Support DMS21 Right to object to processing Yes Support DMS22 Right to not be subject to automated processing Yes No n/a25(1) Data Protection by Design Yes Yes DMS, Compliance25(2) Data Protection by Default Yes Yes DMS, Compliance28(1) Processor technical/organisational measures Selection Yes ISO27001/SOC 232(1)(a) Security of processing (encryption) Selection Yes Tiered Encryption32(1)(b) Security of processing (ensuring CIA & R) Selection Yes SOC 232(1)(c) Security of processing (can restore/recover) Selection Yes DMS32(1)(d) Security of processing (reviews & audits) Selection Yes Compliance32(2) Security of processing (risk assessments) Selection Yes Compliance33 Notificationofdatabreachtoauthority Yes Support DMS,Compliance34 Notificationofdatabreachtodatasubject Yes Support DMS,Compliance35 Data Protection Impact Assessment Yes Yes Compliance37 DesignateaDataProtectionOfficer Yes Yes Management

LEGEND

Direct responsibility for the requirement

Yes

The entity chooses how it meets this responsibility

Selection

The entity enables compliance with the responsibility

Support

Entity does not have responsibility for the requirement

No

DOCS

DEFINITIONS

DMS: Document Management Service

DRM: Digital Rights

Compliance: Internal compliance activities

n/a: No support for this requirement