The EU Data Protection Directive 95/46/EC is being replaced with the EU's new General Data Protection Regulation (GDPR) which will enter into force on 25 May 2018 and the countdown to compliance has already begun.
The aim of GDPR is to harmonise data protection law in Europe, to protect and empower all EU citizens data privacy, and to reshape the way organisations approach data privacy.
GDPR is far more stringent than existing data protection legislation and will fundamentally change the way that companies gather, process and protect the information of EU citizens. It presents a challenge to all businesses with EU customers or employees: comply with stringent rules regarding data privacy and protection, or face severe fines – up to €20 million or 4% of global turnover.
The regulation widens the definition of ‘personal data’ by defining it as any information that can identify an individual person. This includes a name, an ID number, postal address, location data, online browsing history, images or anything relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person. When obtaining this personal data organisations will have to obtain consent before this information is processed. Each EU state will define the age up to which an organisation must obtain consent from a guardian before processing a child’s data. Individuals must be informed in advance of their right to withdraw consent at any time. They will have a right to be forgotten and their data must not be kept longer than necessary or used for a purpose different to which it was originally collected.
If a data breach occurs organisations will be required to report it to regulators and customers within 72 hours. Organisations will therefore have to put in place technologies and processes which will enable them to constantly monitor, detect and respond to a breach of personal data.
The appointment of a Data Protection Officer (DPO) will become mandatory for public organisations, organisations that carry out the regular and systematic monitoring of individuals on a large scale, or organisations whose activities consist of processing sensitive personal data. The role of this DPO will be to support the organisations compliance with GDPR by ensuring personal data processes, activities, and systems conform by design. In addition, the DPO will act as an intermediary between the organisation and supervisory authorities or data subjects.
GDPR introduces mandatory Data Protection Impact Assessments (DPIA) for organisations where privacy breach risks are high. DPIA’s will help organisations identify potential privacy issues before they arise and come up with a solution to mitigate them. If the privacy issues cannot be mitigated then the organisation is required to consult their Data Protection Authority before engaging in the process. GDPR allows organisations that have establishments in more than one EU member state, or have a single establishment in the EU that processes data of individuals in other EU states, to liaise with one Data Protection Authority as their single regulating body, referred to as a Lead Supervisory Authority (LSA). This LSA will be where the organisation have their main administration, or where decisions about data processing are made.
Despite the challenges ahead GDPR presents strategic advantage opportunities. Once compliance is achieved organisations will have the processes in place to securely maximise the value of personal data. In addition, they will be able to operate with clear and demonstrable consent from employees, customers and prospects. This in turn will have a positive impact on business relationships as individuals will support brands and employers they trust.
How Glenbeigh Records Management can help
You are not alone in preparing for GDPR and Glenbeigh Records Management is positioned to help you in a number of ways. Firstly, our cataloguing services can help you understand the type of personal data you have. You can then examine it and if you decide you longer need it we can provide certified shredding. If the data is of value to your business we can securely store it in our ISO27001 compliant records management facility with an assigned retention date which you will be notified on to authorise shredding.
Going forward our digitisation department can help you better manage incoming personal information. Our digital mailroom service captures information from physical files at the start of the document lifecycle within an organisation, rather than at the end, making it easier to implement procedures that adhere to GDPR's requirements.
The reality is that the clock is ticking and the changes required may be significant so the time to act is now. Download our 12 step guide to GDPR below:
12 Step Guide to GRPR