Since Matt Hancock published the Data Protection Bill back in September 2017 which had been fully incorporated into the UK Law and will now be known as the Data Protection Act 2018, which will be coming into effect on May 25th, 2018, this topic has been discussed and written about in great length. There have been more and more articles being published about the new regulation and what the new rules mean to companies within the UK, however, there are still a high percentage of SMB’s that have done nothing towards reading themselves for the new regulations, even though it will be a criminal offence if they are found not to be compliant.
One of the biggest differences the EU GDPR is placing on businesses, where the new regulations affect them, is the greater liability that has been placed on the data processors, and if breached could face fines of up to €20 million or 4% of the firm’s turnover, whichever is the higher.
Another big difference is that the new regulations call for mandatory record keeping plus the DP authorities will be able to review a company’s privacy policies at any time. All organisations should hold a detailed security policy outlining data management and safeguarding procedures.
Leadership is now being asking for companies with over 250 employees should have a Data Protection Officer (DPO) but they are recommending any company regardless of its size has a DPO. There are many companies that have less than 10 employees that hold thousands of records. It is these smaller companies that are more at risk from breaches than the larger organisations.
Another change is the “Right to be forgotten” This means that personal information cannot be held for longer than necessary and only used for the purpose it was originally collected for. Monitoring of this information is paramount and the secure destruction of the personal information is critical. Make sure you find a reliable document management company that can not only help you with the organisation of your records but also carry out a confidential and secure destruction of paper, electronic media and hard drives and that they issue a Certificate of Destruction once your items have been destroyed.
You will also be asked to use Privacy Impact Assessment (PIA). This will help to identify where there are weak areas where personal data could be a risk. Open bins in offices could be one area that leaves a company open to a potential risk. A lot of companies are now switching to lock consoles. These consoles prevent others seeing any discarded documents that hold personal information.
Privacy by Design calls for organisations to have in place appropriate measures to protect personal data against unlawful processing. Having a process in place that flags up when a document needs destroying is key, however, also having in place lockable consoles for unwanted documents and a clean desk policy will also help safeguard your work.
Finally, communication on processes and good awareness of what needs to be implemented to make the office a safer environment for all personal data. Training and understanding that comes from the top down will make a better culture of security.
We get it right because we care