GOOD PRACTICE Secure sharing of company documents. A guide for entrepreneurs.

The growing expectations of users regarding the ease and availability of online solutions are one of the main drivers of the digital revolution. This, of course, also applies to document-sharing. However, in this case, the comfort of use is only a half-success. In addition to a user-friendly interface and modern functions, what is still of key importance is security.

Today, entrepreneurs are exposed to the risk of losing shared files like never before. They must constantly adapt the company to changing regulations. How to connect these two seemingly distant worlds so that the daily exchange of information becomes both comfortable and safe?

We have created a compact guide in which you will learn how to share corporate documents much, much better.

It’s a question that every entrepreneur should ask. When it comes to sharing documents – which is an inevitable situation while running any kind of business – it is worth starting by identifying the internal and external communication channels of the company.

The internal circulation of documents and information will include the team, our associates, or accountants, regarding both the corporate tools such as email domain and server, and outside platforms used in our everyday work: e.g. Google, Slack or GitLab.

In turn, the external file circulation will apply to customers, contractors, regulatory authorities, offices, suppliers and every entity that is a recipient of our products and services.

Even this simple division of communication channels will help us strengthen security. In the case of internal communication, it is worth creating a list of currently used applications and then reducing it to a minimum so that communication is as centralized as possible with just a few tools. In the case of external circulation, however, it will be particularly necessary to establish communication rules and apply good practices for secure file and document sharing by all employees, e.g. against phishing. Alas, we will not always have an influence on how the other party communicates.

Why make this effort?By creating guidelines for communication in the company, you will minimize the risk of information chaos, which may be difficult to clean up when challenges arise. Besides, a narrow range of tools has several main advantages:

• Faster work
• Easier finding of information needed
• Less risk of human error
• Less risk of cyberattacks
• Greater convenience of sharing files

From the perspective of an external addressee, consistent communication on the part of our company will be perceived only positively. It’s worth limiting the number of e-mail threads with the same person, and if we share large files – using a cloud-based tool to do it, preferably one integrated with e-mail. A well-structured communication will have a positive impact not only on relations, but also on the course of cooperation.

Let’s start, however, with the must-haves. There is no question of information security without taking into account the GDPR, especially when our company operates in or with the EU countries. People who are just starting to think about their own business should carefully read the general data protection regulation: Regulation (EU) 2016/679 of the European Parliament and of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Regardless of the company size and industry, the provisions of the GDPR give a lot of freedom in terms of how the data – and thus also the shared documents – will be protected. However, they must be protected without exception, and the GDPR obliges entrepreneurs to create a policy for the processing of personal data and to respect the right of customers to view, modify and delete their data.

Any company owner can be the administrator of the personal data of the company’s clients. There are no special guidelines as to their competences, as long as the company does not strictly process data – in that case, the position of a personal data protection officer should be created.

Maintaining the GDPR is a statutory necessity in the EU. If you have doubts as to whether your company processes personal data correctly, the best solution will be to consult this issue with a specialist and conduct appropriate training.

Entrepreneurs should be aware that sharing documents with parties both inside and outside the organization is one of the ways of data processing. Documents containing personal data, and, therefore, subject to the protection of the GDPR, must be processed with the consent of their owner.

By definition, this processing means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

In practice, the company begins processing personal data as soon as it obtains the consent of the data owner or sources data from a publicly available source. It is important to maintain that in the case of each document, including archival documents, each employee is able to recognize whether they are competent to process the data contained in the document and how to process this data, and in the context of this article – whether, how and to whom to make it available. Determining which people in the company can process documents subject to GDPR protection and to what extent is absolutely crucial.

The GDPR distinguishes administrators and persons responsible for the processing of personal data. Both of these groups may share the same responsibilities, but only the administrator can set the rules and purpose of data processing, of course, in accordance with the act. Building this awareness in the team is one of the pillars of secure document sharing.

There is also a second pillar, which can be broadly defined as the knowledge of the rules of safe usage of the Internet, with particular emphasis on the phenomenon of phishing, which takes its toll even on experienced users.

Phishing is nothing more than a fraudulent attempt to obtain data based on various types of social engineering. One example of phishing is a cybercriminal impersonating a company’s client in order to obtain their account login details. Unfortunately, there are more and more cases of pretending to be a bank or a public institution in order to use their authority at the time of phishing confidential information.

Building awareness, training and practicing mindfulness – also through controlled penetration tests – is the best way to counter the threat of phishing, which, due to its soft nature, is unfortunately so effective and willingly used by cybercriminals.

Now let’s move on to the issue of file-sharing itself. As we wrote at the beginning, the fewer tools we use to share documents, the better for security. The keyword here may be data repository. Repository will enable you to reduce the frequency of uploading files and to share links instead of separate documents, which not only facilitates cooperation of several employees at the same time, but also allows you to delete a file from the server when, for example, it is mistakenly sent. In such a case the link will simply stop working.

This is not always an ideal method, because it may happen that the recipient has already downloaded the file to their disk, but in many instances, e.g. when viewing a PDF in a browser, the file will end up in a temporary folder and become unavailable on another viewing attempt.

Get to know tools for collaboration on documents.

Overproduction of documents is a threat to information security. Therefore, it is worth including a tool for sharing documents in your daily work, for example Google suite, which, to some extent, can also function as a corporate repository.

The Mountain View giant’s platform will allow you to merge mail, spreadsheets, text editor and disk space, which all provide a high level of data security and a good workflow for the team. Large files can be uploaded to Google Drive and shared as links. The advantage of Google tools is also the ability to grant several models of permissions to a given document to people who have a link or to limit the rights only to selected people.

What is the Virtual Data Room?

While Google is a good choice for internal team work and sharing current documentation, we should think about a dedicated solution when sharing strictly confidential files, especially outside the organization. VDR, also known as a virtual data room, is a cloud-based platform used for the most secure sharing of all types of business information with clients, partners or public institutions.

It is an industry standard in the consulting, financial or investment industry – wherever the highest protection of files shared online is required. In fact, only VDR will allow full control over who will be able to access a given document and to what extent. What distinguishes this solution?

VDR approaches the issue of security holistically – it is both the product itself and compliance with strict regulations (GDPR, MIFiD, MAR, ISO 27001 and so on) combined. An exceptional level of internal organization and knowledge of the team makes this SaaS solution a security standard as high as in electronic banking.What VDR features allow for secure sharing of documents through this tool?

Supervision of what is happening in the system

One of the unique features of VDR are system administrator reports. After launching a virtual data room in our company, the administrator function can be performed, for example, by a data protection officer or the head of a given project, department, etc. It is possible to create a clear structure of documents for each group/project and to establish a hierarchy of access to data for each user, so that managing multiple projects at the same time is possible. The person supervising the system (including the company owner) will have access to all settings and be able to evaluate the progress of work.

Reports offered in the FORDATA VDR solution include, i.a.:

• User loggings
• Comparison of access rights to folders and documents
• Popular documents
• Unopened documents
• Changes in user access rights
• Changes in group rights
• Changes in documents and folders
• Activity over time
• Summary of group activity

Reports allow us to define who, when and for how long was logged into the system and what documents he or she opened, and even for how long they were viewed. Thanks to this, it is possible to accurately determine the work history of a given user and to actually determine what information was processed by them.

Advanced functions that limit access

Virtual data rooms also have a number of functions to limit the access to files stored in it to the users and third parties. They include, among others, two-step authorization, limiting the pool of IP addresses from which you can log into the system (e.g. only from company addresses), geographic restrictions, e.g. preventing access and processing of data located in the system outside of the country, confirmation of the NDA agreement during each logging, or forcing a password change to VDR on first logging.

If at the same time communication is being carried out regarding the project of which the files have been collected in VDR, it is possible to run the Q&A module, useful especially while cooperating with external specialists, e.g. an auditor or a lawyer. Such communication will be equally protected, and its record, along with the system reports, will be available in the form of a post-project archive. This will allow you to keep the entire history of work on the project – useful especially in the case of legal disputes, when you need a material record of cooperation, decisions made or advice given, while the entire record will be stored in one platform.

Revoking Document Access Rights At Any Time

To explain how valuable this feature is, let’s look at the following situation:

Confidential financial information emailed from a company client was forwarded by a manager to a part of the team. An authorized group of users from the “Accounts” folder has gained access to these documents. Unfortunately, the file was mistakenly shared with another group, “Outsourcing”, which included 5 people who were not authorized to view this documentation at all. As a result, there was a breach of the provisions on the protection of personal data and the disclosure of the trade secret to a third party.

While in the case of e-mail such an error would be irreversible, immediate action in the data room can be taken at any time. Not only are we able to withdraw access to the documentation for the “Outsourcing” group with just a few clicks, but also to check whether its members have opened, saved or printed the document (if they initially had such permission granted), and an assessment of how long the documentation was viewed for. This will allow us to mitigate or even completely neutralize the results of the mistake, a feat impossible to achieve with popular tools.

Best practices of file sharing are fundamental to corporate security. However, choosing the right technology will allow us to obtain many additional benefits. Popular cloud tools, such as Google, will work well in the daily work of the team. They enable easy collaboration on files and reduce the number of tools and communication channels, thus reducing document overproduction.

When we need to provide sensitive documentation, however, it is worth taking a look at dedicated solutions, such as VDR. It will give you maximum control over information flow and file sharing process. Thanks to the features typical for solutions of this class, such as activity reports, detailed models of file permissions, data encryption and access restrictions, it is an optimal tool when we want to create a secure repository in the company, shared both outside and inside the organization.

We hope that the information gathered here will help you better look at the issue of secure document sharing also in your company.