With the new regulations not far away we thought we’d take a look at what they are, and what needs to be done to be compliant.
What is GDPR?
The EU’s General Data Protection Regulation (GDPR) is the result of four years of work by the EU to bring data protection legislation into line with the new ways that data is now used. The update is the first of its kind in 20 years and its changes are significant.
The regulation is intended to establish one single set of data protection rules throughout Europe. These rules have already been published but companies are expected to be fully compliant from 25th May 2018.
Your next thought might be; does Brexit affect this? The answer is no, these regulations are subjected to an organisation that collects and processes data concerning any EU citizen – and the UK will still be a member of the EU when GDPR negligence becomes actionable.
Why should I take GDPR seriously?
Failure to comply with these new regulations would result in substantial penalties.
The maximum fines for the most serious of breaches are either €20 million, or 4% of worldwide annual turnover (whichever is greater). The sort of infringements that could impose the larger fines include:
- Not having sufficient customer consent to process their personal data
- Violating major privacy by design concepts
- Time-delayed security breach notifications
It is expected that larger companies, aware of these changes in jurisdiction, will likely have the systems in place to be able to make the changes necessary for compliance, presumably at the appointment of a Data Protection Officer.
The changes are more likely to be of issue to smaller companies/startups – without the formalities of a much larger business.
So what do I need to know?
The changes affect individual personal data. Therefore, a key part of the regulation is consent, namely the agreement to personal data relating to them. Consent doesn’t need to be explicitly given, it can be implied by the person’s relationship to the company. The data must also only be held for legitimate reasons. Ask yourself, do you need the data or do you want it?
Additionally, the individual should now have the option to withdraw consent, known as the right to be forgotten. As well as this, if their data is no longer required for the reasons of which it was collected, the data should be erased.
The new regulations demand that individuals have full access to information on how their data is processed and this must be made available in a clear and understanding way. The individual can make a request to their information and this must be executed “without undue delay and at the latest within one month of receipt of the request”.
How do I enforce this?
Make these rights to the individual clear when you’re obtaining their data. You should outline:
- The identity and contact details of the organisation
- The purpose of acquiring the data and how it will be used
- Whether the data will be transferred internationally
- The period for which the data will be stored
- The right to access, rectify or erase the data.
- The right to withdraw consent at any time
- The right to lodge a complaint
Secure Data can help you with this
Paper records represent a considerable compliance risk. It’s of paramount importance you have a system in place to be able to identify what data you have, where it is and how it’s being used.
If you have paper records, you can store them here with us. We provide secure offsite storage and our expertise can help audit and index your files, digitise them if necessary and destroy them for free. You’ll be able to comply with a host of GDPR regulations.
Here’s an example of the audit types we can provide:
Along with this service, we can offer our clients an efficient, high volume scanning service. This makes our scanning services suitable for any business that is dealing with high volumes of sensitive documents, enabling your business to command a structured, online archive. Your records would be more accessible, searchable and easily distributed across your business.
Along with the audit to determine your documents retention schedules, the digitisation of your documents will give you the most accessible and secure archive.
GDPR compliance will be made simpler with Secure Data.