September 26, 2017

GDPR: Key Data Changes Your Company May Need to Make Now

Is your workplace based in the UK? Or does it handle personal information from individuals who live in the European Union?

If so, you only have until May 2018 to put the right data management processes in place to comply with the new General Data Protection Regulation (GDPR).

Enforcement of the regulation is scheduled to begin in late spring, and there are significant financial penalties for companies that don’t comply. With the enforcement date fast approaching, thorough preparation is vital.

Here are some ways in which companies should be preparing:
  • An extensive review of data in storage will show whether or not personal data covered under the regulation is being held and handled (third party storage applies too). 
  • For reference, revise the corporate privacy policy so it fully explains how personal data is used and why. Keep records of personal data processing.
  • In certain circumstances a Privacy Impact Assessment (PIA) will be required when handling personal data, especially when using new technologies. It is important to do the assessment in the early stages of projects.
  • The consent process for personal information may need to be reviewed. Where consent is being used as the basis for processing, the GDPR requires documented permission including the data and source of the consent. There must be ‘opt-in permissions’ as failure to opt out will not be sufficient consent. It must be as easy to withdraw consent as it is to give it.​
  • Be prepared for information requests and sharing. The legislation allows individuals to request copies of their data held by companies.
  • A ‘privacy by design’ requirement calls for data protection from the onset of collection. Always collect the minimum amount of information, and consider privacy at the planning stages of projects. It will be helpful to embed security-driven processes in the workplace too. A Clean Desk Policy, for example, means all information will be locked away securely when employees are away from their desks.
  • Put a formal information destruction process in place. The GDPR’s ‘right to be forgotten’ means organisations can’t keep personal information for any longer than necessary and must delete or remove the information if the owner requests it. A comprehensive document management process will help monitor and protect information from creation to destruction. Partner with a document destruction company for secure information disposal. A Shred-it All Policy specifies that all documents are securely destroyed when no longer needed. After every shred, the company should issue a Certificate of Destruction, which can be used to help demonstrate that the information has been handled securely for compliance purposes if necessary.
  • Create a detailed breach notification plan. Under GDPR, notification for certain types of breaches will become mandatory and it must be done within 72 hours of first having become aware of the breach.  
Start Protecting Your Business 

To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and data security survey.