August 28, 2018

What GDPR Processes Do You Need to Have in Place?


Though the EU General Data Protection Regulation (GDPR) went into effect this past May, there are still a lot of organizations that need to improve different processes in order to comply.

The GDPR impacts any company or individual anywhere in the world that collects and processes personal information of EU residents.

A recent TrustArc survey that looked at GDPR compliance showed that one month in, only 20% of the US, UK, and EU companies surveyed believed they were GDPR compliant while 53% reported they were still in the implementation phase. Furthermore, 27% had not yet started their implementation.

Only 12% of companies in the US reported they were compliant compared to 27% of EU companies and 21% in the UK.

Non-compliance could be costly with potential fines of up to 4% of a company’s global annual revenue.  

What are must-have GDPR processes?

  1. Data protection leadership. It is important to have someone in charge of data protection compliance. Some companies will need to appoint a Data Protection Officer.
  2. Privacy Impact Assessments. There should be Privacy Impact Assessments (PIA) utilized in early stages of all projects that handle personal data.  
  3. Up-to-date information security policy. Authorities have the right to ask to review privacy policies and procedures. They should include comprehensive document management processes that show different categories of data as well as a retention and secure destruction schedule.
  4. Staff training. Employees in all departments should be receiving on-going training about GDPR. 
  5. Consent process for personal information. Organizations must be able to show documented permission to gather personal information including the source of the consent. ‘Opt in’ permissions must be clear because failure to opt out will not be sufficient. It must also be as easy to withdraw consent as it is to give.​
  6. Access. A big part of GDPR provides consumers easier access to data collected about them. The data management system should be able to quickly identity and document this information.
  7. Information destruction. The ‘right to be forgotten’ means organizations can’t keep personal information for any longer than necessary and must delete or remove the information if the owner requests it. Partner with a document destruction company for secure physical and digital document destruction. After every shred service, the company should issue a Certificate of Destruction, which can be used to prove compliance.  
  8. Breach notification. There should be clear procedures in the event of a data breach. An organization may be obligated to disclose a breach within 72 hours unless the breach is unlikely to pose a risk to the individuals’ rights.  

In summary, data protection should be fundamental to all operations and business processes, according to the 2018 State of the Industry Report by Shred-it. Collect as little data as possible, and keep it separate from information about customers from non-EU countries to minimize risk. Implement a Clean Desk Policy so all information will be protected and locked away securely when employees are away from their desks. Introduce a Shred-it all Policy so all documents are securely destroyed when no longer needed.

Start Protecting Your Business

To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and security risk assessment.