GDPR: Key Data Changes Your Company May Need to Make Now
Does your workplace handle personal information from individuals who live in the European Union (EU)?
Any organization that does has until May 2018 to put data processes in place so that they comply with the new General Data Protection Regulation (GDPR).
The GDPR is replacing the Data Protection Act for countries that are part of the EU. But all companies, anywhere in the world, that hold, transmit and process personal information about individuals who live in the EU must comply.
Enforcement of the regulation is scheduled to begin in late spring, and there are significant financial penalties for companies that don’t comply. One security blogger said that U.S. companies could see enforcement agencies at their door as early as next summer.
Here’s how companies should be preparing.
- An extensive review of data in storage will show whether or not EU data is held and handled (third party storage applies too). This data will need to be protected, and it may be most efficient to store it apart from other customer data.
- Always do a Privacy Impact Assessment (PIA) when handling personal data especially when using new technologies. It is important to do the assessment in the early stages of projects.
- The consent process for personal information will likely have to be re-done. GDPR requires documented permission including the data and source of the consent. There must be ‘opt-in permissions’ as failure to opt out will not be sufficient consent. It must be as easy to withdraw consent as it is to give it.
- Be prepared for information requests and sharing. The legislation allows individuals to request copies of their data held by companies.
- A ‘privacy by design’ requirement calls for data protection from the onset of collection. Always collect the minimum amount of information, and consider privacy at the planning stages of projects. It will be helpful to embed security-driven processes in the workplace too. A Clean Desk Policy, for example, means all information will be locked away securely when employees are away from their desks.
- Put a formal information destruction process in place. The GDPR’s ‘right to be forgotten’ means organizations can’t keep personal information for any longer than necessary and must delete or remove the information if the owner requests it. A comprehensive document management process will help monitor and protect information from creation to destruction. Partner with a document destruction company for secure information disposal. A Shred-it All Policy specifies that all documents are securely destroyed when no longer needed. After every shred, the company should issue a Certificate of Destruction, which can be used to show compliance if necessary.
- Create a detailed breach notification plan. Under GDPR, notification for certain types of breaches will become mandatory and it must be done within 72 hours of first having become aware of the breach.
Start Protecting Your Business
To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and security risk assessment.