In August 2017 the Government announced plans to formally bring the General Data Protection Regulation (GDPR) into British Law in its new Data Protection Bill. The regulation will bring about one of the biggest changes to data protection laws, and businesses must be prepared for the date it becomes enforced, May 25 2018.
Here we give you the lowdown on what the GDPR is, the “significant enhancements” it brings to the Data Protection Act (DPA) and the steps your business can take right now in order to become compliant.
What is GDPR?
In many ways, the GDPR is similar to the current Data Protection Act - a legislation which has been in force since 1998 to control the way information is handled and to give legal rights to people who have information stored about them. In relation to our industry, we help businesses to comply with the DPA by disposing of any ‘sensitive information’ they own, whether that’s invoices, customer receipts, business financials, insurance policies, contracts or documents containing PIN numbers or passwords. Not only does this ensure compliance with the law, but it also reduces an organisation’s chances of falling victim to business fraud. Statistics show that the estimated cost of fraud in the UK is £193 billion, with business fraud accounting for around £144 billion of that.
The Information Commissioner’s Office (ICO) states that while “many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act...there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.”
Who will the new data protection regulations affect?
GDPR is an EU directive, affecting all member countries. It’s therefore something that’s going to affect all businesses in the UK and EU and even businesses outside those areas who carry EU data. In March, a study found that a quarter of UK businesses were no longer preparing for the new data protection regulations in the misunderstanding that it won’t apply after Brexit. But the Government confirmed that it will implement the new law whatever form our withdrawal from Europe takes, which means the time to start preparing is now. Despite this, research by cloud technology provider Calligo reveals that 69% of companies are unprepared for the changing regulations.
What are the main changes and how will it affect my business?
As mentioned above, there are a number of “significant enhancements” to the GDPR. Here are a few of the main changes to be aware of:
Standard of consent
With GDPR consent with be harder to obtain. The ICO’s Consultation: GDPR Consent Guidance document explains the difference between the DPA and GDPR’s definition of consent and how it should be given:
The document explores these additional terms in more depth, but one thing worth touching upon is pre-ticked boxes. Pre-ticked boxes or other methods of default consent will be banned under GDPR as they do not require people to actively, or ‘positively’ opt-in.
Businesses must also keep a record of consent, and be able to demonstrate the following:
- Who consented
- When they consented
- What they were told at the time
- How they consented
- Whether they have withdrawn consent, and if so, when
Stronger individual rights
Not only will GDPR make it harder to gain consent, it’ll give stronger rights to individuals over their personal data. This includes the right to be forgotten (where you have to remove their data), right to object to processing (where they object to data being held) and right to data portability (choice over where data can be sent). Individuals also have the right to complain to the ICO if they feel their information is being misused.
Introduction of data protection officers
The ICO states that the following organisations must designate a data protection officer - whether internally or through the hiring of a third-party advisor:
- Public authorities (except for courts acting in their judicial capacity)
- Those that carry out the regular and systematic monitoring or individuals on a large scale; or
- Those that carry out the large scale processing of special categories of data, such as health records, or information about criminal convictions
The introduction of data protection officers is to ensure that there is someone who takes “proper responsibility for your data protection compliance and has the knowledge, support and authority to carry out their role effectively”.
Higher penalties for non-compliance
Parliament agreed to enhance the ICO’s powers to fine organisations up to £500,000 for serious breaches of the DPA. Prior to April 2010 the maximum fine had been £5,000. Now businesses face even larger penalties, showing how serious the GDPR is being taken - with
those that ignore the new regulations facing a potential punishment fine of up to £17 million, or 4% of their total worldwide annual turnover (whichever is higher).
Another change is being introduced to put a duty on all companies to report certain types of data breaches to the ICO, and in some cases, to individuals. This must happen within 72 hours of the business becoming aware of it. Only some organisations were required to do this under the current DPA. However, the ICO makes it clear that you only have to give notice of a breach where it is “likely to result in a risk to the rights and freedoms of individuals - if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.”
What action can I take to ensure my company is compliant?
It’s worth asking yourself the following questions as a starting point:
- Does my business use any methods of default consent which will need to be changed?
- Where will my company keep a full audit trail of how and when consent was given by individuals? Who will have access to this?
- How will my business make it clear to customers that consent can be withdrawn at any time, and that they have a right to complain to the ICO if they feel their personal data is being misused?
- What processes does my firm have in place to deal with a data security breach?
- Does my business need a data protection officer? If so, who will take on this responsibility?
- Who else do I need to inform about changes to GDPR within my team/firm?
- Does my company need to review the way it stores and destroys personal data, both paper and electronic, once past its legitimate retention period?
- Who is responsible of keeping an accurate record of any destroyed information, and how long will this be kept for?
The ICO has created a 12 step plan to preparing for GDPR, which you can find in full here.
How Shredall can help businesses comply with the GDPR
Shredall is fully compliant with the new GDPR standard, and we want to ensure that our customers are too. We recommend that businesses review their existing information management processes during preparations for the GDPR, including how their sensitive information is stored and disposed of.
In terms of storage, you’re far more likely to lose documents if your workspace is cluttered, putting it at risk of falling into the wrong hands. Investing in some lockable filing cabinets is a good place to start, and will save time later down the line. If you’re looking to free up some space in the office then you may want to consider using a document storage company like SDS.
With SDS you can choose your own document storage boxes, or we can supply them to you. You can also rest assure that all of our staff and drivers have been security vetted, who will scan your boxes upon collection and again once they arrive at our facilities. Documents can be retrieved at any time, with three different types of delivery: pre-determined, next day and emergency (same day). We also offer a scan on demand service where we convert hard copies in a digital file. Customers who need urgent access to a document can retrieve it through our security-restricted online system in a matter of minutes.
Any documents that are no longer needed must be shredded at the very least, in order to comply with the law. Many companies choose to invest in an office shredder and do this themselves, but the problem with office shredders is that they’re noisy and time-consuming and most bog standard office shredders only cut into vertical strips, which could be reassembled with a bit of patient.
At Shredall we have a industry standard Vecoplan shredding machine, capable of ‘cross cutting’ 6,000kgs of paper per hour, rendering any document illegible. We also specialise in the handling of waste electrical and electronic equipment (WEEE) such as hard drives, printers, laptops, USBs, CDs and DVDs, and branded products including uniforms.
Get in touch with us today to see how we can help you prepare for GDPR.