Today marks the start of a new era of data protection as the EU’s General Data Protection Regulation comes into force. GDPR has been a topic of discussion for months as companies scramble to prepare, but the deadline has now passed. From now on, any company found to be non-compliant could be fined.
GDPR: the basics
There have been thousands of words written about what GDPR is and who it affects before now, so we won’t go over it all again. If you want to read our take, you can find it here.
However, it’s worth writing out a brief reminder to refresh your memory on what’s changing. GDPR will affect every single business that deals with EU data, whether or not the business itself is based in the UK. Therefore, it will continue to apply to UK businesses even after Brexit.
Although it’s requirements are complex, the crux of the regulation is that it requires businesses to obtain informed consent when acquiring personal data for consumers, to be aware of what data they hold and where it’s stored, and to be able to completely erase a customer’s personal data if that individual requests it. Businesses must also report a breach within 72 hours of it occurring.
The fines for a failure to comply with any of the above are far more substantial than those that the ICO (Information Commissioner’s Office) can currently issue under the Data Protection Act 1984 - the UK’s current data laws. Companies can be fined up to 20 million Euros or 4% of their annual turnover, whichever is greater. Needless to say, such fines could be devastating for small businesses.
The story so far
Over the past month or so, you’ll probably have noticed a barrage of emails informing you of different companies changing their privacy policies or asking you to update your consent. Perhaps your business has also sent one of these emails out to its contacts.
Such practices are a part of these companies’ compliance strategies, and follow in the wake of stories such as Wetherspoons completely erasing their email list and Honda getting in trouble for sending out similar emails.
As you might expect, the return rate on these emails is low. The Guardian reports that just 10% of contacts are updating their preferences, while 90% simply ignore the emails. Many companies will have to go back to the drawing board to build up their contact lists again.
More activity will be going on behind the scenes to take stock of what data companies are holding, what their new privacy policies should look like, and how they can can ensure that they can erase data if required.
What we can expect in the coming weeks
It’s anyone’s guess as to how the next few weeks will turn out. We’re going to run a news round up at the end of the month of any major stories that emerge, but until then we’ll have to wait and see.
It’s likely that things will go one of two ways. On the one hand, the ICO may stay fairly quiet in the first couple of weeks to give everything a chance to settle down before they look into non-compliance. On the other hand, they may jump straight in with investigations and sanctions to show that they’re serious about the new regulations. If the latter happens, you can be sure that the stories will make for big headlines.
How Shredall SDS can help
Now is the time to be putting robust practices in place to ensure your GDPR compliance for the long term. The Shredall SDS Group can help you with a number of aspects of compliance, especially if a lot of your historic data is on paper.
Our document scanning and storage services will help you to organise and digitise all your records, so that you can see what data you hold and you know exactly where it’s located. Our shredding services (including hard drive shredding), on the other hand, will help you to destroy any data that you no longer need or that you’re required to destroy as part of an erasure request.
Get in touch with us to find out more about how we can help your business comply.