October 31, 2017

Time is Running Out: How to Prepare for the New EU Privacy Regulations

Is your company ready?

Data privacy rules in Europe are about to change and they may impact your security practices even if you’re not located in a European Union (EU) country.

The General Data Protection Regulation (GDPR) is replacing the Data Protection Act, and everyone has until May 25, 2018 to put new data management processes in place. With non-compliance fines of up to 4% of global annual revenue, companies need to prepare.

Here are important steps organizations should take.  

o   Make sure the company knows: Even though this is an EU regulation, all companies, anywhere in the world, that hold, transmit and process personal information about individuals who live in the EU must comply. Buy-in from decision-makers in organizations is important so that GDPR policies and procedures are adopted.

o   Put someone in charge of compliance: While every workplace should have a security lead, under GDPR certain types of organizations will have to formally appoint a Data Protection Officer.

o   Make sure data collection is within the law: Do an extensive review of all the personal data collected and stored. There has to be a lawful basis, according to a regulation guidelines document from the Information Commissioner’s Office (ICO). Revise the corporate privacy policy so that it fully explains in easy-to-understand language how personal data is used and why.

o   Manage personal data – and individuals’ rights: Document the personal data the company holds, where it’s from, and who it is shared with. Procedures must cover all the rights individuals have under GDPR with the right to data portability being a new requirement.

o   Review consent practices: Consent to hold personal data must be clearly documented. Make sure there are clear ‘opt-in permissions’ as the new regulation will not accept failure to opt out as sufficient consent. Also, it must be as easy to withdraw consent as it is to give.​

o   Highlight children’s data – and consent: The GDPR provides special protection for children’s personal data. A parent or guardian’s consent for children under 16 may be required.   

o   Update procedures for information requests: The legislation allows individuals to request information about their personal data. Consider all the logistical implications for how requests are handled.

o   Adopt ‘privacy by design’: The regulation has a ‘privacy by design’ requirement that calls for data protection from the onset of collection. Collect the minimum amount of information, and consider privacy at the planning stages of projects. A Data Protection Impact Assessment (DPIA) may be mandatory in certain circumstances.

o   Be more proactive about data breaches: Put procedures in place to detect, report and investigate data breaches. Under GDPR, notification to the ICO for certain types of breaches will be mandatory; in some cases, individuals will have to be notified too.

o   Provide secure information destruction: GDPR’s ‘right to be forgotten’ means organizations can’t keep personal information for any longer than necessary. They must delete or remove the information at the owner’s request. Partner with a document destruction company for secure information disposal of both paper and digital data. A Shred-it All Policy specifies that all documents are securely destroyed when no longer needed.

Start Protecting Your Business 

To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and security risk assessment.