Information security experts are putting the spotlight on the General Data Protection Regulation (GDPR) – and rightly so.
The landmark General Data Protection Regulation, which will come into effect in May 2018, is a major overhaul of European data protection legislation. It brings protection up-to-date in terms of digitised data trends, and it also strengthens individual privacy rights and increases data protection compliance and enforcement. Organisations that do not comply face much higher fines of up to 4% of their global turnover, or €20 million, whichever is higher.
What’s also significant is who the regulation applies to. The GDPR will replace the current EU Data Protection Directive for countries that are part of the European Union (including the Data Protection Act in the UK, despite the implications of Brexit). But all companies, anywhere in the world, that process information about EU citizens must comply as well.
For a GDPR overview, here are some of the important aspects of the new legislation as well as best practices that will protect the workplace:
- Transparency: The GDPR calls for mandatory record keeping; plus, data protection authorities can review a company’s privacy policies at any time. All organisations should have a comprehensive information security policy that outlines data management and safeguarding procedures.
- Leadership: Organisations with more than 250 employees will have to appoint a Data Protection Officer. But experts recommend that every company have a qualified data protection officer. “With today’s technology, there are many organisations with fewer than 10 employees that process the personal data of thousands of people and have a much higher risk than many larger organisations,” said a privacy lawyer in a computerweekly.com post.
- ‘Right to be Forgotten’: Personal information cannot be held for any longer than necessary and only for the purpose it was originally collected for, making secure destruction of personal information critical. Partner with a reliable document destruction company that provides secure destruction services for paper documents, hard drives and electronic media, and issues a Certificate of Destruction after every shred.
- Notification: Some data breaches will have to be reported within 72 hours of discovery. Implement a breach notification process that utilises detection technologies and clearly directs response.
- Risk: Where privacy breach risks are high, the GDPR will require Privacy Impact Assessments (PIAs). A PIA helps identify areas where an individual’s personal data could be at risk. Always start PIAs early in project development.
- Privacy by Design: The GDPR calls for appropriate technical and organisational measures to protect personal data against unlawful processing. Automated processes (flagging data for destruction, for example) are key, but a protected workplace can also guard confidential information with embedded safeguarding processes such as a Clean Desk Policy and a Shred-it All Policy.
- Training: The regulation calls for awareness raising and training of staff involved in the processing operations. Provide ongoing training, and implement a culture of security from the top down.
Learn more about what the regulation means to your business in this comprehensive GDPR overview from Shred-it.