GDPR has been in place for a year now, and it has dominated the headlines ever since. Many large businesses have been fined for the loss of sensitive data belonging to their customers. It is important to ensure your company is fully compliant to avoid breaches of personal data and potential fines. We have analysed some GDPR mistakes which your business can learn from.
What does GDPR stand for?
GDPR stands for the General Data Protection Regulation. The law was brought in to protect the breach of personal and sensitive data, especially in this age of technology. Every business must be compliant or face an investigation into their security systems. We have written a blog post on the meaning of GDPR here.
Who enforces GDPR?
The Information Commissioner's Office (ICO) in England enforces GDPR. If your company suffers from a data breach, you must contact the ICO within 72 hours or face a fine. This can be tricky if the data breach isn’t discovered until weeks or months later. It is therefore imperative that your company has the right systems in place in order to be GDPR compliant.
The fines for being non-compliant with GDPR can be up to 4% of annual global turnover, or €20 million, whichever is greater. Other actions which the ICO will take, depending on circumstances, include:
- Giving the business a warning and reprimand
- Temporarily or permanently banning the business from processing data
- Ordering the rectification, restriction or erasure of data
- Suspending the business from transferring data to third countries.
Since GDPR was enforced, we have seen a number of GDPR casualties in the press. Companies who haven’t had the security in place to notice the attacks have suffered the most, with some businesses not noticing the breach until months after. Here are a few examples of industry giants who have been investigated by the ICO.
Uber broke the law by paying their attackers $100,000 to destroy stolen data containing the personal information of their customers, as well as the records of 82,000 Uber drivers. This cover-up has now cost them $148 million in fines, as they failed to disclose the breach to the authorities.
British Airways revealed that they suffered a major data breach in August of 2018. The personal information of 38,000 customers was stolen during the hack. Investigators found that 244,000 payment cards were potentially compromised during the intrusion. There is still uncertainty about how much British Airways will be fined, as they reported the breach within a 72 hour period. Investigations are expected to go on for a long time.
Carphone Warehouse was attacked for 15 days before they detected a threat. The ICO ruled that their security systems were severely lacking and that the personal information of over 3 million customers was compromised. They received a £400,000 fine for failing to identify the attack and protect their customer's sensitive information.
Google was faced with a €50 million fine from France’s National Supervisory Authority, the CNIL, for a lack of transparency and lack of user consent. The fine is just a fraction of Google’s annual turnover and they will quickly recover, however, their reputation may not.
10 Common GDPR Mistakes
Here are 10 common GDPR mistakes which businesses make:
1. Assuming it doesn’t apply to you
GDPR applies to any business within the EU which deals with sensitive personal data. This includes phone numbers, email addresses, home addresses and bank details.
2. Picking and Choosing
You can’t pick and choose what applies to you. There are currently 11 chapters and 99 articles within the GDPR document. If you are unsure how to ensure your business is GDPR compliant, get in touch.
3. Failing to identify personal info
Personal information also includes unstructured data such as social media posts, profile pictures, locations and IP addresses which are stored online. This must be identified within your business in order to protect it efficiently.
4. Failing to keep evidence
If you are investigated but fail to provide evidence of the ways in which you are GDPR compliant, you could receive a fine.
5. The right to erasure
Consumers have the “right to erasure” in which they can ask you to delete all of their personal data from your company databases. Your business should have a system in place which allows you to delete the master record of your customer, if they request this. You must then evidence that you have done this.
6. Allocating GDPR matters to one member of staff
A common action is to allocate GDPR to one member of staff, when in fact, it affects every department within your business. You must work together within the company to implement GDPR in everyday practice. We offer a consultancy service to help you implement changes within your business.
7. Keeping a visitors book
We’ve all seen the scene in a movie where somebody is flicking through the visitor's book to find someone's name. This is now a breach of GDPR and will result in a fine if you keep the visitor's book on the counter at reception. To avoid this, keep the sign in book behind reception and watch as the person signs in.
8. Old personal data within the organisation
You may not have considered the old CV’s that you ‘kept on file’. To be compliant with GDPR, the applicant must have given permission for you to keep their personal data. If you are unsure, give them an email to double check. If you need somewhere to keep all of these sensitive documents, we offer a range of document storage services.
9. Staff using their personal computers
If your staff members bring their personal computers into work and take them home again, they are potentially taking client details back and forth between the office. Ensure that your team have work computers to eradicate this issue.
10. Sponsorship forms in the staff room
If your sponsorship form contains the details of staff members and is on show in a public place, this is not compliant with GDPR. Instead, consider a sponsorship box with slips to put in, so that people can keep their personal information hidden.
At Shredall SDS Group, we are fully GDPR compliant and can help your business to implement the correct changes to become compliant, too. The minimum your company should be doing is shredding sensitive information, once it is no longer of use. However, this is not always efficient and the documents are only shredded vertically, giving the opportunity for them to be reassembled.
Our industry standard Vecoplan shredder cross-cuts the sensitive documents, ensuring that there are no potential breaches of security. It is capable of cutting 6000kg of paper per hour, removing the need for office shredders. We can provide you with secure bins to store your waste before collection.
Shredall SDS Group also specialises in the removal of waste electrical and electronic equipment (WEEE), which includes items such as old hard drives and laptops, USBs, CDs and DVDs, printers and even branded uniforms. You can rest assured that your sensitive waste will be disposed of safely and securely.
Furthermore, our storage services allow you to comply with the GDPR, whilst also saving you valuable time and freeing up office space. We already offer full-service records management to businesses in a range of industries across the UK. Your documents will be indexed by fully vetted staff, giving you a complete secure scanning & scan on demand confidential, compliant data destruction and recycling GDPR-compliant storage, indexing & cataloguing services.