This article appears in the Spring 2018 magazine issue of DOCUMENT Strategy. Subscribe.


The General Data Protection Regulation (GDPR) makes its debut in May, and it will be big. For large companies, fines could reach up to four percent of annual global turnover for non-compliance. Many efforts to meet these new requirements are focused on applications such as enterprise resource planning (ERP) and customer relationship management (CRM) systems, but what will the GDPR mean for the documents we manage?

If you agree that electronic document management (or any of its synonyms) is the foundation of corporate information management, then that means complying with the GDPR—or face the wrath of the European Union.

The following articles within the GDPR are those that require particular attention for the domain of document management:

Article 15: Right of Access by the Data Subject

Company employees will need to access most of their personal documents stored by the organization (e.g., in the human resources file cabinet) to ensure they are still valid, all necessary documents are filed, and so forth. Naturally, there must be measures taken to prevent employees from accessing any documents belonging to their colleagues.

Article 16: Right to Rectification

Employees may store new versions of existing documents to correct incomplete or inaccurate data or add completely new statements. As in Article 15, individuals should only be able to rectify their own documents and not anyone else’s.

Article 18: Right to Restriction of Processing

Data subjects or, in a corporate environment, employees have the right to demand that information given to the company is not used outside their legal purpose. If documents fall outside the scope of legal obligation, public interest, or legal claims, the employee has the right to exclude them from further processing either temporarily or permanently.

Article 20: Right to Data Portability

Employees have the right to demand their personal data in a portable format, so they can access it without the need for specific software. Therefore, an electronic document management (EDM) solution must be able to meet this requirement, including functionalities such as exporting documents to a DVD, a database with related metadata, and selective search and viewing on any computer.

Article 25: Data Protection by Design and Default

Software, which supports the EDM solution, must allow for data protection by design and default. Selecting software that does not meet these conditions is not a wise path. When we talk about data protection, we mean strict access to documents that are assigned to company roles, and by documents, we mean the document object—not the file cabinets where they’re stored.

This kind of functionality must be configurable in order to satisfy whatever security policies are implemented. By default, the system must prevent access to documents by all users. Therefore, access rules must be implemented. It’s also necessary to log all activity for every document, so companies can track who accessed what, when, and for what reason. Each document must have its own access log, and these logs must exist by design and default.

This article has particular implications for data sovereignty, either when situating data centers in the European Union (EU) or by embracing cloud services that offer jurisdictional assurance for storage, processing, and appropriate security within the EU. Organizations will need to select vendors and cloud providers who can demonstrate that such requirements are built into their respective solutions by design and default—not bolted onto legacy architectures, which will become ever more fragile.

Joao Penha-Lopes specializes in document management since 1998. He holds two postgraduate degrees in document management from the University Lusofona (Lisbon) and a PhD from Universidad de Alcala de Henares (Madrid) in 2013, with a thesis studying the economic benefits of electronic document management (EDM). He is an ARMA collaborator for publications and professionally acts as an advisor on critical information flows mostly for private corporations. Follow him on Twitter @JoaoPL1000.