What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation by the European parliament and council on the protection of natural persons with regard to the possession of personal data and the free movement of such data, and repealing Directive 95/46/EC. (27 April 2016)
Some of the main points that are included under GDPR are:
- All EU citizens, regardless of their location, are included.
- All Companies that target EU citizens, regardless of the company location, are required to comply.
- It's a regulation, not a directive, so you will need to comply.
- Personal data includes name, address, national ID number, medical records, DNA, IP address, e-mail address, RFID, HR info, and more
But don’t worry, there are benefits to GDPR.
More qualified leads
Anyone allowing you to have or keep their data are genuinely interested in your company and/or products.
No more friction at data subjects side about your company using their personal data. They know what, why, where, how and how long you will store their data, and have the right to be forgotten by your company. Leading to more trust between them and your company, and better long-term relationships.
We all like trust, but studies show that leads are more likely to buy products/solutions from companies they trust. Take advantage!
Redaction or the removal of sensitive or personal data is a big point of discussion when talking about the GDPR. iText's pdfSweep offers you many tools to apply redaction to a PDF file. This tool offers more than the classic "black bar" approach, when pdfSweep redacts a file it does a deep removal, meaning that the redacted content will actually be removed entirely from the file. pdfSweep offers a few ways to do this, by offering the classic API in which you define areas to be redacted or the more recent feature to allow redaction based on regex patterns.
PDF isn't an easy format to parse or to find a certain phrase. To solve that, iText has a powerful extraction API. This API allows you to not only retrieve PDF content and its coordinates, but also all kinds of metadata associated with the PDF content, e.g. which font, font size, color, tagging, ... is used on a certain piece of text. This allows the user to do a thorough analysis of their documents, which supports them in their data retrieval process.
The GDPR also talks about securing data. Encryption is a way (if not the way) to secure your PDF files and data. iText allows you to encrypt your PDFs using industry standard algorithms and practices. This feature is well tested and well documented on our web site.
The PDF standard allows you to add metadata to your PDF files. If your PDFs contain data on data subjects, it might be a good idea to mark these PDFs with an identifier. This can be done in the metadata of the document. iText Core has several ways of adding metadata to a file and it also allows you to easily change, read, and delete metadata from a file.
iText has always been a champion of PDF standard compliancy. And as such we support PDF/A and PDF/UA. These rely on a PDF structure known as Tagged PDF. In a nutshell, this is adding semantic information on the content of a PDF file, so that a viewer or processor knows what the content is he is processing. This construct can also be customized to your workflow meaning you could add markers in PDF files to indicate where personal data is located. This in turn can be leveraged when using text extraction for easy retrieval of marked data.
VI. POWERFUL API
The power of iText lies in its easy to use API. It hides a lot of the PDF standard from its users and it offers a document model system. But underneath there is an API that allows a user to finetune everything in a PDF file, this is known as the "low level API". We made the conscious choice to offer both ways to create and manipulate PDF files. This low level API enables the power user to fully customize a PDF file to their needs.
Action plan: change your companies mindset and design by privacy
- Check with your management if there is already a plan in place to be compliant with GDPR.
- Explain to them the benefits of being GDPR compliant, if there is no plan in place yet.
- Make a list of all data captured:
- What do you capture?
- Why is it captured? Is this necessary?
- Where is it stored?
- How long is it stored?
- How is it stored? Has it been secured?
- Clearly state your intent and the duration of data storage. There needs to be a clear goal and purpose to the collection of data.
- Ask your data subjects explicitly for consent - allowing you to collect data - and explain that this consent can be withdrawn at any point. Do not use pre-ticked checkboxes, silence or inactivity.
- Create protection for all personal data allowing each data subject to access all data stored about them in a readable, usable format.
- Offer a user friendly way for data subjects to update their data or request removal of their personal data from your database.
- Offer data subjects a way to opt-out if they no longer want to receive updates. Allow them to be forgotten.
- If you are using third party tools, check with them if they are also GDPR compliant.
- Create a breach policy: what to do if there is a breach, who do you contact (who contacts them), and how do you fix it?
Still have questions about PDF solutions for GDPR?
We're happy to help! Send your questions to us, and we'll get back to you a.s.a.p.