<img src="https://i.canddi.com/i.gif?A=f0f63a3d3d2d596f1b8c53b1e727e618">

Document Management and GDPR

Author: Ruban Rajasooriyar

How GDPR compliant is the information in a document management system? Something we're often asked about.  The EU General Data Protection Regulation (GDPR), has been in force since the 25th May 2018.  It is about the protection of personal data such as a person’s name, email address, medical information, phone number etc.

There are six reasons a company has the right to processes personal data:

  1. Consent
  2. Fulfillment of a contract
  3. Legal obligation
  4. Vital interests
  5. Task in the public interest/for official functions
  6. Legitimate interests.

How a document management system can help with GDPR

It is unlikely that one single system can meet every aspect of the regulation.  It may require coordination from different forms of technology and policies, but a document management system  can go a long way to help.

Find and access personal data

A document management system digitises documents in a secure way, making it easy to find all personal data.  Emails, contracts, invoices etc. are tagged with metadata which correctly classifies and categorises them.  A simple search by 'document type', brings back all related information.

DocuWare’s Intelligent Indexing uses machine learning to automate this classification process, supporting compliance and reducing complicated and lengthy data entry.

Secure access

Only authorised users can access personal information by applying access controls and permission management.  For example, only the HR team can see employee contracts, other departments including IT, are restricted.

DocuWare can prevent documents containing personal information being unintentionally emailed or transferred out of the company.


Rules can be added around retention and deletion to ensure data isn’t kept longer than needed.  Any changes to documents are logged to show who amended what and when.  A document management system complies with GDPR in this way, as an audit trail proves only authorised staff had access to any personal information.

The ability to export data

If asked about personal data, a business must be able to export all the information to the requester within 30 days.  Depending on the request, the information may also need to be changed or deleted.  If the data needed is sorted across multiple locations, such as filing cabinets, storage facilities or folders on a server, it could prove to be a lengthy job.

Storing all documents related to an employee in a document management system means there’s only one place to find everything you need.  With DocuWare, this information can easily be exported or transferred.

Subject Access Requests

A document management system enables a Subject Access Request to be easily carried out, using the full text search option.  By looking up the requester's name,  the system can call up any document where that name appears.

A document management system can support your organisation with its GDPR obligations, meaning time and attention can be focused on other important aspects of the business.

Request More Information

Contact us now for more information 0161 647 7040