Information Security: Are You Ready for the GDPR?
Information security experts are putting the spotlight on the new landmark General Data Protection Regulation (GDPR) which goes into effect in May 2018 and represents a major overhaul of European data protection. It brings protection up-to-date in terms of digitized data trends, and it also strengthens individual privacy rights and increases GDPR compliance and enforcement. Organizations that do not comply face much higher fines of up to 4% of their global turnover.
What is also significant is who the regulation applies to. The GDPR will replace the current Data Protection Act for countries that are part of the European Union (including the U.K.) But all companies, anywhere in the world, that process information about EU citizens must comply as well.
Research from PwC has shown that 92% of U.S. multinational companies, for example, have cited compliance with the new regulation as a top data protection priority. Besides the legal and financial consequences, a breach could damage reputation and customer confidence.
Here are some of the important aspects of the new legislation as well as GDPR compliance best practices that will protect the workplace:
- Transparency: The GDPR calls for mandatory record keeping; plus, data protection authorities can review a company’s privacy policies at any time. All organizations should have a comprehensive information security policy that outlines data management and safeguarding procedures.
- Leadership: Organizations with more than 250 employees will have to appoint a Data Protection Officer. But experts recommend that every company have a qualified data protection officer. “With today’s technology, there are many organizations with fewer than 10 employees that process the personal data of thousands of people and have a much higher risk than many larger organizations,” said a privacy lawyer in a computerweekly.com post.
- ‘Right to be Forgotten’: Personal information cannot be held for any longer than necessary and only for the purpose it was originally collected for, making secure destruction of personal information critical. Partner with a reliable document destruction company that provides secure destruction services for paper documents and hard drives and e-media, and issues a Certificate of Destruction after every shred.
- Notification: Some data breaches will have to be reported within 72 hours of discovery. Implement a breach notification process that utilizes detection technologies and clearly directs response protocols.
- Risk: Where privacy breach risks are high, the GDPR will require Privacy Impact Assessments (PIAs). A PIA helps identify areas where an individual’s personal data could be at risk. Always start PIAs early in project development.
- Privacy by Design: The GDPR calls for appropriate technical and organizational measures to protect personal data against unlawful processing. Automated processes (flagging data for destruction, for example) are key, but a protected workplace can also guard confidential information with embedded safeguarding processes such as a Clean Desk Policy and a Shred-it all Policy.
- Training: The regulation calls for awareness raising and training of staff involved in the processing operations. Provide on-going training, and implement a culture of security from the top down.
Learn more about what the regulation means to your business in this comprehensive GDPR overview from Shred-it.