On May 25th 2018, new laws will be brought into effect around data protection, in order to make it uniform across the whole of the European Union. General Data Protection Regulation (GDPR) applies to all businesses – from large companies and public authorities to small and medium-sized businesses.
What is GDPR?
GDPR is the new primary law governing how companies protect the personal data of any EU citizen. Its main purpose is to create a uniform approach to data security across the EU, and it will replace the current Data Protection Directive 95/94/EC.
How will the GDPR affect my business?
Businesses will have to be more stringent about the ways in which personal and sensitive information are stored. Infringements of the new laws will hold greater consequences and potentially large fines.
There’s a need for transparency when it comes to collecting data from individuals, and it’s vital companies make it clear to them how that data will be used. In addition, individuals must be made aware of their rights to withdraw from having their data stored by your company. The newly introduced “Right to be forgotten” directive means that an individual can request that you delete any of their personal data that you have on file. The “Right to object” directive means that an individual can refuse permission to be profiled – this includes for direct marketing purposes.
Companies must take precautions regarding the security of the data they store, both physical and electronic. Breeches of any kind must be dealt with quickly, and it is every company’s responsibility to take this time in the lead up to the GDPR enforcement to reassess their current security processes.
Why GDPR matters
Any company that is already compliant with the Data Protection Directive will now need to ensure that they are in line with GDPR and the changes imposed by this. If your company doesn’t adhere to the GRPR requirements and regulations set out or you have been found to breach them, you could face a fine.
It applies to all members of the EU, and will remove the need for each state to write its own data protection laws. Some companies will even need to employ a data protection officer to oversee the implementation and compliance of GDPR.
Ahead of the regulations coming into effect, it’s time to start looking at where you are now, and what steps you can take to make a move towards compliance.
What should I consider in the run up to the GDPR?
Many data breaches in businesses occur through the neglect of individuals rather than malicious cyber-attacks, which is why it is so important to mitigate the risks in as many ways as possible. Here are a few you should be considering:
- Make a risk assessment plan
Identifying potential risk and addressing weaknesses in your current security processes are important parts of aligning your business to the GDPR rulings. It’s also worth looking at setting a timeline against the results you glean from your risk analysis - you’ll be able see what actions need taking and when, and take stock of which ones will be the most time-consuming. This can also be useful when it comes to delegating areas of responsibility across the business, so that everyone is aware of what they need to do to aid the GDPR compliance.
- Destroy unnecessary hard copies
If you use a lot of paper documentation or you need to print out a confidential document that you won’t need to refer to later - a shredder is essential for destroying the material. It’s vital that you don’t leave sensitive information where non-authorised people could see it. As well being a breach of privacy if the details are employee or consumer specific, the consequences of confidential information being leaked could be hugely detrimental to a business.
Crosscut shredders or confetti shredders cut your document into tiny pieces, which makes the pieces harder to reconstruct. However, the best shredder for your needs will depend on your business.
- Keep your paperwork private
The protection of physical data is an important concern for those looking to align their businesses with the GDPR. If physical copies need to be kept for reference purposes, you should be taking extra precautions when it comes to storing them. A lockable filing cabinet or drawer can prove invaluable. With advancements in technology, the importance of keeping physical information under lock and key can sometimes be over looked. Lockable storage is as paramount a purchase as it ever was, and a tangible way to keep access to confidential documents limited.
- Don’t get complacent with passwords
When it comes to data protection, people can forget how vital a secure and well-considered password can be. Auto-reminders set on computers after a set amount of days can give employees the impetus they need to regularly change their passwords. You can also set parameters to ensure the passwords contain capital letters, numbers and even symbols to ensure the complexity is at the desired level to help keep data secured.
- Assess access levels
Entry level team members are unlikely to need the same access that a senior management team member would. Similarly, those in charge of your data security will have a different set of access needs to general office workers. For companies who have freelance workers, or even temps on a regular basis, this brings a whole other set of potential risks, and furthers the need for tailored access. Setting limitations on who can access what can make a huge difference to cutting down on data breaches and protecting sensitive information.
- Is your Anti-virus software good enough?
Protecting your business from online threats with strong anti-virus software is essential. With the increase in cyber-attacks and the growing complexity of the kinds of viruses that can infiltrate your business, this is something you need to pay close attention to. Ask yourself – are you up to date with your virus software? Is it enough for a business of your scale? You should take the time to reassess your current package to make sure it’ll be enough to keep you in line with the GDPR.
- Spring clean your office and computer files
Schedule in time to make sure all the information you have is correct, up-to-date and still applicable. This is part of the GDPR requirements. You must also respect other people’s rights resulting from GDPR. If they choose not to have their personal data stored on file – that is their legal right and they should be made explicitly aware of that. Regularly making sure everything is following the guidelines and cleaning up any files or folders will help keep your documents in order, and help you spot any discrepancies or issues.
- Have a plan in place for breaches
Companies will be expected to react to breaches quickly and report them to the relevant regulatory body within 72 hours. You will also have to explain how you have dealt with said breach, and what you’ve done mitigate the effects of it. Having a plan in place and ready to go can help save time, and lessen the impact a breach may have on your company and the people involved.
It’s important that your business is fully informed about the changes in data protection and the implementation of GDPR. The responsibility lies with each and every employee, so the information and the plans you put in place should be disseminated company wide. The countdown is on, and re-assessing your current data security measures is the first step to GDPR compliancy.