What's New in Data Protection and Privacy Legislation?

There is a steadily growing awareness among C-Suites about privacy laws and the legal requirements of storing and disposing of confidential information, according to the 2016 State of the Industry Report by Shred-it. The level of awareness has increased over the last five years and is now at the highest level since tracking began. It's not all good news though, as SMEs need to step up their compliance practices. The report found that awareness among SMEs is significantly lower than C-Suites and has remained largely unchanged over recent years.

Staying up to date can be difficult because data protection legislation is a moving target.

Regulators are under pressure to ensure that legislation protects and safeguards privacy and personal information of citizens, said the report.  That means legislation is constantly evolving.

The State of the Industry report provided details.

In the UK, the Data Protection Act (DPA) currently controls how personal information is used by organisations by setting out a framework of principles and rules. It is a legal requirement which if ignored, could lead to criminal prosecution or fines of up to £500,000 per breach. The Information Commissioner's Office (ICO) enforces the DPA in the UK and has issued a total of 91 fines since 2010 for breaches of the Act. In total, over £9.4 million in fines have been issued to private and public businesses based in the UK.

Significant changes to European legislation are imminent. After four years of debate between the European Council, Parliament and Commission, the new EU General Data Protection Regulation was passed by the European Parliament on the 14th April 2016 and will be implemented in 2018, by which time all European Union (EU) countries will be required to comply. The single data protection law will replace the existing patchwork of national laws, impacting all business operations within the EU and those operating outside its borders. Changes to the data protection legislation will have a huge impact on businesses not just in EU member countries, but any business or organisation globally that processes the data of EU citizens, pushing organisations to plan ahead.

Following the Brexit result of the EU referendum, it would be unwise for UK organisations to assume they will not be impacted by the new regulation.  According to a statement from the Information Commissioner's Office (ICO). “We will be discussing with Government the implications of the referendum result and its impact on data protection reform in the UK.” 

What can companies do to remain in compliance and up-to-date with evolving privacy legislation?  

• Have information security policies for the on- and off-site workplace.
• Monitor websites of applicable international data protection regulators. “Be on the lookout for new guidelines and policies or any new enforcement decisions.”
• Regulate access to confidential information. Employees should have access only to information they need to do their jobs.
• Provide appropriate technological safeguards – for example, ‘compartmentalising’ applications on mobile devices, firewalls, anti-malware software, and encryption technology.
• Physically protect information. Implement a Clean Desk Policy. 
• Provide ongoing training to encourage secure work habits and familiarise employees with policies and procedures.
• Regularly review what personal information is collected, how it is used, and how long it is retained. Limit the amount and type of personal information collected to what is necessary. Securely destroy confidential information when it is no longer needed. Introduce a Shred-it All Policy.
• Partner with a third-party that is committed to best practices in information security.  Think beyond storage of hard drives. Leverage third party expertise to regularly destroy out-dated hardware and electronic media.