Document Management Systems (DMS) and GDPR – three key aspects. 

There’s been a lot of talk with regards to GDPR (General Data Protection Regulations). This article is looking at a different angle to the debate; this blog is concerned with DMS and GDPR. Why a DMS? Well, it’s about the creation, storage and control of documents, and with the advent of GDPR, a DMS can take on added importance. So, let’s explore three key areas that reflect best practice with regards to DMS and GDPR compliance.


If your company was the victim of a ransomware attack how easily could this virus get access to your personal data including staff records or customer bank details? Using standard unencrypted file formats is a much more vulnerable position. By using a DMS, documents are held as images in an appropriate format and all files are encrypted on entry so even if an attack happened the risk can be minimised. Encryption of data reflects best practise and goes a long way to being compliant with GDPR.

Role Based Access Control 

One of the key criteria of the GDPR is ensuring information within your company is locked down. We are not just talking about being locked down to the outside world but with the company itself. For example, is there any need for the Marketing Manager to have access to a customer’s direct debit details? Yet, this is not uncommon practice for an Accounts Department. What about the temp you have employed? You may not want this person to have the ability to email or print documents? They might have a job interview with your main competitor the next week! Staff should only have access to the information required to do their job and with a DMS rules can be put in place to restrict access to information.

Retention Control 

It is your responsibility as a business to ensure paperwork is stored safely and securely but also only stored for the appropriate period in line with legislation. For example, its common knowledge that finance documents must be stored for up to 7 years, but not so well known that CV’s should be destroyed once a position in the company has been filled; at that point, there is no need for you to store someone’s personal information. An effective DMS can help maintain best practice across the business by storing personal data correctly and have the facility to flag-up documents at the correct time frame for deletion.

Darren Cairney, IT Manager of Document Data Group also commented, “When you compare a windows file structure and associated permissions with a document management DMS, you can see how a DMS is the next step in securing your business-critical data. Windows is by default open until closed with most users unaware that their newly created ‘Shared Docs’ folder could allow all users with read/write access. DMS can be set up to allow, ‘no user’ any rights until granted, you can restrict, what is searchable and even what can be seen on the document itself.

According to David Reilly, Data Protection Officer at Create Ts and Cs, “Personal Data and how it is managed has become an even more important business issue because of GDPR. Treating personal data with respect and in-line with legislation is a decision a company takes in order to manage the business risk. Deploying the right systems and the correct expertise will go a long way to helping your organisation manage personal data and comply with GDPR”.