About a third of companies that should be ready for the new General Data Protection Regulation (GDPR), still aren’t, according to a recent report.
While over 90% of respondents in the EU GDPR Report were aware of the new regulation, approximately 30% still needed to make substantial changes to security practices and technology to comply. The report, sponsored by Stealthbits Technologies, received input from over 500 global cyber security professionals.
The GDPR is replacing the Data Protection Act and goes into effect May 25, 2018. Even though it’s an EU regulation, all companies, anywhere in the world, that hold, transmit and process personal information about individuals who live in the EU must comply. There are significant penalties for those who don’t.
Here are 10 steps companies should be taking to achieve compliance.
- Keep track of data in storage to identify the EU data that is being held and handled. This data must be closely documented, and experts suggest storing it apart from other customer data.
- Designate someone to be in charge of data protection compliance. Some companies will need to appoint a Data Protection Officer.
- Schedule Privacy Impact Assessments (PIA) in early stages of all projects that handle personal data, particularly when using new technologies.
- Revise the consent process for personal information. There must be documented permission including the source of the consent. ‘Opt in’ permissions must be clear because failure to opt out will not be sufficient. It must be as easy to withdraw consent as it is to give it.
- Embed security-driven processes into the workplace. A ‘privacy by design’ requirement calls for data protection from the onset of collection. Always collect the minimum amount of information. Implement a Clean Desk Policy so all information will be protected and locked away securely when employees are away from their desks. Introduce a Shred-it All Policy so all documents are securely destroyed when no longer needed.
- There must be a streamlined process for responding to information requests. The legislation allows individuals to request copies of any personal data held by companies.
- Cull all records regularly, and utilize a comprehensive document management process that will monitor and protect information from creation to destruction. It should include a data retention schedule too. The GDPR’s ‘right to be forgotten’ means organizations can’t keep personal information for any longer than necessary and must delete or remove the information if the owner requests it.
- Prepare a detailed breach notification plan. Under GDPR, notification for certain types of breaches will be mandatory.
- Partner with a document destruction company for secure information disposal. After every shred, the company should issue a Certificate of Destruction, which can be used to show compliance if necessary.
Start Protecting Your Business
To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and security risk assessment.