Is your company ready for the General Data Protection Regulation (GDPR)?
There are only 12 months left before enforcement begins.
The GDPR strengthens privacy rights of individuals who live in European Union (EU) countries, giving them better control of the personal information that companies hold about them. Despite the implications of Brexit, UK organisations will still need to ensure GDPR compliance.
The legislation also provides a clear set of rules for companies to follow when handling personal information.
One of the most significant aspects of the GDPR is that it affects all companies, anywhere in the world. If a company processes information about European Union citizens then it must comply with the regulation.
The GDPR will extend enforcement too. Organisations that are not fully compliant will face fines of up to 4% of their global turnover – along with the damaged reputation and customer confidence that a data breach can cause.
Here are some of the main steps that companies should take now to ensure GDPR compliance:
- Policy: Review the information security policy including data residency and retention procedures. A formalised document management process should monitor and protect all forms of confidential information from creation to destruction. The GDPR introduces the ‘right to be forgotten’, which means organisations can’t keep personal information for any longer than necessary and must delete or remove the information if the owner requests it.
- Notification: Create a detailed breach notification plan. While any data breach should be dealt with quickly, certain types of breaches must be reported within 72 hours under the GDPR.
- Consent: Review the consent process for personal information. Companies must use clear language to state how they intend to manage and use the data they receive.
- Leadership: Public bodies and organisations processing large amounts of personal data, or data that is particularly sensitive, must appoint a data protection officer (DPO). But all businesses and organisations should seriously consider appointing someone to be in charge of information security.
- Privacy by design: The GDPR requires appropriate measures to protect personal data in the workplace - embedding security-driven processes will help standardise privacy. A Clean Desk Policy, for example, stipulates that all information is locked away securely when employees are away from their desks. Partnering with a document destruction company simplifies information disposal and sends the message that security is critical. A Shred-it All Policy specifies that all documents are securely destroyed when no longer needed. Under the GDPR, organisations must demonstrate compliance, and a reliable document destruction company will issue a Certificate of Destruction after every shred.
- Information assessment: Utilise Privacy Impact Assessments (PIAs). The GDPR makes PIAs mandatory in certain circumstances, and the assessment should be implemented in the early stages of projects involving the processing of personal data.
- IT systems: Update IT systems based on the requirement that software includes functionality to protect the privacy of individuals.
- Staff training: Provide ongoing training, and be sure everyone understands their role in protecting personal information. Executives and managers should demonstrate their commitment to data protection too. Implementing a culture of security from the top down is recommended.
- Expert advice: Consult with legal counsel, data protection and information security specialists to resolve any potential data protection issues that may lead to non-compliance.
For more information about the GDPR and how it affects your business, download our free whitepaper.
Start Protecting Your Business
To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and data security survey.