GDPR Myths: 6 Security Details Workplaces Have to Get Right
By now most companies know about the new General Data Protection Regulation (GDPR), which is replacing the Data Protection Act in Europe and goes into effect May 25, 2018.
Even though the GDPR is an EU regulation, companies anywhere in the world that hold and process personal information about individuals who live in the EU, must comply.
For companies that are still gearing up for changes, it’s important to be aware of certain aspects of the regulation that need to be correct – and may not be due to misunderstandings and myths.
Here are 6 security details of the regulation that organizations have to get right.
- Breach reporting: The regulation makes it mandatory to report a personal data breach if it’s likely to result in a risk to people’s rights and freedoms – and it really will depend on the risk it poses. A recent Information Commissioner’s Office (ICO) paper identified high risk situations as discrimination, damage to reputation, financial loss and other significant economic or social disadvantages.
- Reporting deadlines: To be in compliance with GDPR,a personal data breach that affects individuals’ rights and freedoms has to be reported no later than 72 hours after discovery. The paper emphasizes that not all details are expected right away by the ICO. The information that matters most comprises of scope of the breach, cause, mitigation plan, and actions being undertaken to solve the problem.
- Fines: Under GDPR the ICO will have the ability to issue fines for failing to notify and failing to notify in time. Potential non-compliance fines can go up to 4% of a company’s global annual revenues. But the regulation is not just about fining companies. Fines can be avoided if companies take a transparent approach and comply with regulations.
- Data security: Some companies have the impression that the regulation has been created to punish organizations. But according to the ICO paper, the legislation is all about giving consumers more control over their data while increasing the accountability of organizations. Focus on putting better safeguards in place to detect and deter breaches. This will raise the level of security and privacy protections across the board – and on a global basis.
- Information destruction: With the GDPR’s ‘right to be forgotten’, organizations should not be keeping personal information for any longer than necessary and they must delete or remove the information at the owner’s request. With this in mind, workplaces should put processes in place so that they collect and keep only the confidential information that is needed for operations and compliance. Also, de-clutter regularly and to start the New Year right, participate in Good Riddance Day. The annual New Year’s event held in Times Square, New York, promotes the secure destruction of confidential information. Information destruction leader Shred-it provides a mobile shredding truck and invites everyone to bring their worst memories of the year and watch them get permanently and securely shredded.
Start Protecting Your Business
To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and security risk assessment.