Is your company ready for the General Data Protection Regulation (GDPR)? There are only 12 months left before it goes into effect.
The GDPR strengthens privacy rights of individuals who live in European Union (EU) countries, giving them better control of the personal information that companies have about them. The legislation also provides a clear set of rules for companies to follow when handling personal information.
One of the most significant aspects of GDPR is that it affects all companies, anywhere in the world. If a company processes information about European Union citizens then it must ensure GDPR compliance.
GDPR will increase enforcement too. Organizations that are not fully compliant face fines of up to 4% of their global turnover – along with the damaged reputation and customer confidence that a data breach can cause.
Here are the main steps that companies should take now to prepare.
- POLICY: Review the information security policy including data residency and retention procedures. A formalized document management process should monitor and protect all forms of confidential information from creation to destruction. The GDPR introduces the ‘right to be forgotten’, which means organizations can’t keep personal information for any longer than necessary and must delete or remove the information if the owner requests it.
- NOTIFICATION: Create a detailed breach notification plan. While any data breach should be dealt with quickly, certain types of breaches must be reported within 72 hours under GDPR.
- CONSENT: Review the consent process for personal information. Companies must use clear language to state how they intend to manage and use the data they receive.
- LEADERSHIP: Organizations with more than 250 employees must appoint a data protection officer (DPO). But all size firms that handle a lot of personal data should appoint someone to be in charge of information security.
- PRIVACY BY DESIGN: The GDPR requires appropriate measures to protect personal data in the workplace - embedding security-driven processes will help standardize privacy. A Clean Desk Policy, for example, stipulates that all information is locked away securely when employees are away from their desks. Partnering with a document destruction company simplifies information disposal and sends the message that security is critical. A Shred-it All Policy specifies that all documents are securely destroyed when no longer needed. Under GDPR, organizations must demonstrate compliance, and a reliable document destruction company will issue a Certificate of Destruction after every shred.
- INFORMATION ASSESSMENT: Utilize Privacy Impact Assessments (PIAs). The GDPR makes PIAs mandatory, and the assessment should be implemented in early stages of any project that will involve the processing of personal data.
- IT SYSTEMS: Update IT systems based on the requirement that software includes functionality to protect the privacy of individuals.
- STAFF TRAINING: Provide on-going training, and be sure everyone understands their role in protecting personal information. Executives and managers should demonstrate their commitment to data protection too. Implementing a culture of security from the top down is recommended.
- EXPERT ADVICE: Consult with legal counsel, data protection and information security specialists to resolve any data protection issues.
Start Protecting Your Business
To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and security risk assessment.