How to Manage Documents in the Cloud When Compliance is Key

Businesses focused on compliance-heavy industries, like accountants, financial advisors and HR firms, are some of those that see the greatest benefit from document management systems. Their day-to-day work involves routine handling of confidential documents that are subject to a variety of different legislative requirements, while simultaneously needing to be externally shared with a range of different clients and customers, each of whom make their own changes. 

That’s a highly consequential chain of actions in which potential calamity haunts every document transfer, and such businesses need to be absolutely scrupulous about access control and version control - on pain of severe financial penalty. The prospect of a unified platform that tracks everything for you, and even holds the auditor’s hand at year-end, is understandably appealing. But it’s vital to ensure you’re using the right platform and the right processes. 

This page outlines the key issues and processes for compliance-heavy companies moving to cloud-based document management. If you want to learn more about specific industries, check our our guides to the best document management tools for accountants and IFAs.

1. Choose a compliant platform from the off

‍
Current legislation defines a variety of different standards and best practices for things like encryption and user access, and the easiest path to compliance is using a proper document management platform that has been certified as offering them (and not cheaping out and using a consumer tool that offers nothing of the sort).

Select a cloud provider that complies with industry standards for cybersecurity, like the snappily-named CIS Critical Security Controls, the NIST Cybersecurity Framework, SOC 2 (System and Organisation Controls) and the Cloud Security Alliance along with more workaday standards such as GDPR and the ISO. If you’re handling healthcare data in the US, you’ll also need HIPAA certification. Compliance with these frameworks ensures that your provider has robust security and data handling protocols in place, and it’s something that should be very easy to confirm - you can view Workiro’s compliance certifications here. 

‍

2. Use role-based access control (RBAC)

‍
This should be included in compliant platforms, but you have to make sure it’s used correctly. Role-based access control means that you can define access to certain tiers of data (for instance, division-level financial reporting) based on the user’s role (for instance, accounting associate). That makes it easy to assign a role in the DMS and know they’ll have the right access, rather than having to do it manually.

Besides being time-consuming, granting access on an ad hoc or per-task basis is a recipe for people accumulating a grab-bag of different keys to data across the business - which can lead to terrible consequences by accident or design. The best document management tools, like Workiro, let you assign access to authorised users by client or project, which is the sort of granularity that makes it very easy to stay on top of who has access to what. It’s one of the key benefits of using a professional DMS rather than normal cloud storage - advanced tools like Workiro give additional features like limiting staff to only recent files, rather than customer’s entire archive.

3. Have a regular backup schedule

‍
Being able to recover lost data is a basic compliance requirement, and is specified by GDPR legislation among others. Any cloud-based document management system will handle this by default and automatically, with simple version control to keep track of changes. Businesses with particularly stringent compliance requirements should consider supplanting this with additional backup providers, so that there’s a double-secure additional layer, although in many cases it won’t be necessary. 

‍

4. Have clear retention and deletion policies

‍‍

The ease with which cloud-based document platforms maintain backups has one downside: it’s a bit easier to build up archives that you don’t need, particularly if you have unlimited cloud storage. This is particularly risky for personal data, which under GDPR can only be retained if there’s a clear business justification, while tax information needs to be held for six years. Law firms may also need to hold criminal offence data, which is treated in a similar way to sensitive data, with additional conditions laid out by the ICO.

You need to have a clear set of policies for the data you hold, including a specific timetable for disposal, and a schedule for acting on it, and ensure that you’ve assigned processes and staff to handle it. The “accountability principle” of GDPR specifies you have a person responsible for compliance, and need to demonstrate that compliance. The good news is that your DMS should make it easy to locate files for deletion, so you won’t have forgotten email attachments lurking in the archive that can surface during a Data Subject Access Request.

‍

5. Monitor and audit data access regularly

‍‍

Your DMS platform should include logging of who’s accessing what. Make sure it makes that easy for managers and auditors to view, and have a timetable to regularly review who has access to what, and correct things where necessary. That’ll likely be included in the audit process if you’re blessed with sufficient scale to mandate one, but having to pick through a voluminous user list and work out who’s doing what can be a huge time-sink. 

Plus, if the worst happens and a regulatory body like the Financial Conduct Authority (FCA) or the Information Commissioner’s Office (ICO) comes knocking, you need to show that you’ve been diligently monitoring access to sensitive data. Good logs and regular audits are what will keep you safe from fines and judgements.

‍

6. Force the use of multi-factor authentication (MFA)

‍‍

This is something that your staff will moan about. Do it anyway: using MFA via an authenticator app or token is an incredibly powerful security step that makes it far, far harder for malicious entities to access your systems and data. It’s an additional inconvenience for workers, and for that reason it’ll probably come up in the employee satisfaction surveys forever, but handling that is a lot cheaper than whopping fines and departing customers if you get hacked.

‍

‍

7. Train your team on data security best practices

‍

‍While we’re on the subject of annoying the staff, regular security training is another key audit requirement, and a must for compliance-heavy teams. It should include training on how to handle sensitive information, how to identify phishing attempts, and the importance of maintaining and monitoring access controls. Review it regularly to make sure that it keeps up with the latest developments - regulation continues to evolve, and AI is coming up with new exploits every week. Which leads us on to our final point…

‍

8. Regularly review cloud storage contracts

‍
As the world changes, your cloud storage provider needs to change with it. Make sure you review your contract and the service they offer at least once a year, to make sure it’s still doing what you need it to, and it’s keeping up with the latest technologies and threats. 

As we’ve hopefully made clear, the most important step for compliance-heavy teams is picking the right document management platform to begin with. The right DMS will support all major compliance requirements right out of the virtual box, so your focus needs to be on training and monitoring to make sure it’s being used correctly. If you’d like to find out more about how document management tools like Workiro can support compliance-heavy businesses, set up a call with one of our specialists.