How prepared are you for the GDPR?
A brief overview
The countdown is on as the General Data Protection Regulation (GDPR) comes into force on 25th May 2018. It’s important to understand that firstly this is legislation, not a directive, and there are tough fines in place for any business or organisation found to be in breach of it. Compliance, therefore, is not optional; it is essential.
The GDPR runs in conjunction with a new Data Protection Bill which was announced in the Queen’s Speech to modernise Data Protection laws to ensure the UK has a framework in place suitable for the digital age. It will give individuals greater rights over their own personal data and carries stronger sanctions for privacy, security and malpractice.
The GDPR forms part of the proposed UK Data Protection Bill framework replacing the current Data Protection Act. The GDPR applies to ‘data controllers’ and ‘data processors’, with ‘lawful use’, ‘transparency’ and ‘accountability’ playing an important part, alongside the implementation of processes to monitor and ‘safeguard ‘personal and sensitive personal data.
It is applicable to any business or organisation, of any size, that collects, stores and processes personal records, and is being introduced to harmonise data privacy laws across the EU, and to take into account new digital technologies. ‘Personal data’ is broadly described as anything that ‘identifies an individual’. ‘Sensitive personal data’ covers details such as race, religion, political views, and so on.
The GDPR also gives individuals greater clarity and rights about how companies use their personal details, with emphasis on consent, which means ‘opting in’ rather than ‘opting out’. Individuals will have rights to view what information a business holds on them, and the right to be forgotten. There are also specific rules which must be adhered to if your business suffers a data breach.
The Information Commissioner’s Office has been urging companies to prepare ahead in time for the enforcement date, and their website is an excellent resource for more in-depth details about the GDPR and its key principles. The ICO’s ’Preparing for the GDPR: 12 Steps to Take Now’ is a useful starting point and the website has detailed information and toolkits available. There is also an ICO hotline and dedicated advice service for small organisations (less than 250 people) and charities – Telephone: 0303 123 1113 and select option 4.
“Small organisations want to be ready when the new law comes into force in May 2018, but they often struggle to know where to start. They may have less time and money to invest in getting it right and are less likely to have compliance teams, data protection officers or legal experts to advise them what to do,” says Information Commissioner, Elizabeth Denham.
It is recommended that preparation should involve all stakeholders and be led from the top tier of senior management, so that everyone in the business understands the GDPR and has procedures and systems in place to be compliant with the criteria.
Ahead of the GDPR, it is imperative that organisations carry out an audit of what personal data they hold and evaluate how/where it resides, adopting systems and implementing processes for security and governance, and identifying any potential vulnerabilities.
These activities all need to be documented as evidence of systems being implemented and actions – in other words, you need to be able to demonstrate how you are complying with the principles of the GDPR. You may need to update your procedures and even designate a Data Protection Officer. We strongly recommend you visit the ICO website for official guidance.
Box-it and the GDPR
At Box-it Central, we are also ensuring that we have made all relevant preparations for the GDPR. We recently hosted a meeting on the GDPR attended by representatives from Box-it regional offices nationwide, as well as a consultant with specialist knowledge of the GDPR. So, it’s a subject we are taking very seriously.
For those who have physical archives in store, who aren’t currently using our Omnidox Records Manager system for managing their archives online, it’s something we strongly recommend for supporting GDPR compliance. Paper records can be more prone to risk or accidental loss/damage, so having greater controls in place to monitor activity and restrict who has access to certain information is imperative. It is also an invaluable tool for document lifecycle management, with the ability to set prompts for review dates and destruction.
It may be that the GDPR is the catalyst for digitising paper records in your organisation. Again, we offer secure services for document scanning and Omnidox Document Manager, a secure repository for storing, viewing and sharing documents online. We can securely destroy the paper originals with our confidential shredding service, providing Certificates of Destruction at the end of the process.
So, the GDPR clock is well and truly ticking. We will be bringing you regular updates on the GDPR in the lead-up to May’s enforcement date. While it might sound rather intimidating, it is after all fundamentally about ‘best practice’ and ‘governance’, as well as security and lawful processing of data to defend consumer interests.
Please contact Box-it Central to find out how our services and systems can support you with your GDPR compliance.
This article is for guidance only. For official advice, please visit the ICO website.