Document privacy is a problem faced by every size of business.
How anyone can redact (remove) sensitive data in 4 simple steps.
The wide-spread increase of data privacy regulations, associated data subject access requests (DSARs) and fines are reflected in the huge rise in corporate budgets allocated to data privacy and data security.
Data privacy budgets are projected to rise by 30% 2021 to 2023, and data security budgets by 25% in the same period, to reach spend levels approaching $5Billion (Gartner).
Data privacy compliance is a challenge for all businesses
While the problems and budgets are captured routinely for large enterprises such as national retailers, banks and insurers, the effect of compliance obligations on smaller operations are harder to gauge.
However, every type of operation is feeling the pressure of DSARs and the need for strict document privacy compliance. Some smaller organisations have forums where they are able to express their concerns. General Medical Practices quantified their issues and challenges in a GP online survey.
GPs said their practices received on average seven DSARs a week – although some received many more. The results suggest that some practices are spending at least seven hours of a staff member’s time a week processing DSARs – for which they receive no funding. Practices also incur costs related to photocopying, printing and postage if patients request a hard copy of their record.
One GP complained: ‘It is a huge workload checking for third party information, particularly for patients with a lot of notes.’ The time and complexity associated with document data privacy expressed by GPs corresponds with Facit’s experience in recent years. While large enterprises were the first to invest in compliance technology, very few companies are unaffected by DSARs today and many smaller companies are looking for ways to comply efficiently and cost-effectively.
A reminder about the causes behind DSAR rises
Facit has previously commented on the factors behind the steady rise in DSARs. The public has generally become far better informed of its rights since the introduction of GDPR in 2018. Plus, it is clear that during the pandemic, pre-litigation DSARs rose sharply to support employment tribunals owing to redundancies. The current prediction is that the cost-of-living crisis will replicate pandemic numbers, while departmental budgets will remain the same.
Technology solutions for document privacy compliance and cost reduction
Most document redaction tools are censoring or obscuring tools that ‘hide’ sensitive parts of a document.
Facit recommends that you look for a redaction tool that totally removes data that could lead to a privacy breach. A data removal tool means you will not be at risk of redaction reversal when it is handed to a third party.
Four simple steps to redact a document correctly
We advocate that all sizes of organisation deploy document redaction technology on the grounds that it will ensure proper privacy compliance, as well as reduce business disruption and the costs associated with manual processes and other forms of redaction. Do not be tempted to attempt a quick fix in MS Word documents, for example.
What is a document?
For the purposes of this article, we view a document as any file containing text. The difficulty for most businesses is that data is held in multiple locations and multiple formats such as system files, Word files and spreadsheets, and unstructured formats such as email and notes. To reach your compliance and cost-saving objectives, you will need to use a redaction tool capable of handling each format effectively.
Pre-redaction checklist
Do not redact original documents
Do not redact the original document or source file as you will not be able to retrieve the data for in-house use.Do not use mark-up tools
Mark-up tools will leave you open to the likelihood of someone removing the mark-ups and exposing the data you want to hide.Be aware of metadata
The appearance of data removal can be deceiving. Hidden data attributes, or metadata, must be expunged.
The 4 steps to assured redaction
1. Upload documents
The simplest way to proceed is to upload a copy of your documents (not the originals) into redaction software. Optionally you can choose to convert source files into PDFs before uploading. It is important to ensure that all instances of sensitive data are removed, which is not something that all redaction tools can achieve in documents such as spreadsheets with multiple rows and columns.
2. Prime for data removal
The best redaction tools enable you to enter selected terms or field types to be removed automatically throughout the uploaded documents. The system should identify all data, including third-party names, addresses, national insurance numbers and any other personally identifying data.
3. Execute redaction and sample results
Execute the auto-redaction and subsequently sample the results in areas of the document, especially in locations where data is known to be difficult to find.
4. Export and save redacted document image
The operative word in step 4 is ‘image’. The most reliable compliance tools do not output a working document as you know it. The exported document is an image that cannot be tampered with – or be subjected to redaction reversal – which means that it can be passed to the data requester without fear of data privacy breaches.
Conclusion
If you work in a large organisation, look for a reliable, scalable document redaction solution that is capable of flexing with shifts in DSAR demands. If you are a smaller company, perhaps experiencing its first DSARs and data privacy issues, do not be tempted to try manual redaction. First, implement a trial of a proven redaction solution and develop a business case for the relative compliance effectiveness, performance and costs of professional software over home-made redaction solutions.
