What you need to know about the GDPR
What is the GDPR ?
The GDPR (General Data Protection Regulation) is a new data protection regulation that came to pass on 14th April 2016. The legislation has been undergoing a 2 year transition and implementation period throughout Europe.
It is coming firmly into force on 25th May 2018, replacing the current Data Protection Directive. After this time, any businesses found non-compliant with the new regulations may be subject to fines.
One of the largest things to change is how you collect data.
Under Article 6 of the European Union’s GDPR, you must ensure that you have lawful grounds to process personal data.
The regulations define the six legal grounds for processing personal data as:
- Consent given freely and unambiguously by the data subject
- Processing is necessary for the performance of a contract to which the data subject is a party
- Processing is necessary for compliance with a legal obligation of the data controller
- Processing is necessary to protect the vital interests of the data subject
- Processing is necessary for the performance of a task carried out in the public interest
- Processing is necessary for the purpose of legitimate interests pursued by the data controller or third party, except where such interests are overridden by the interests or rights and freedoms of the data subjects
Organisations need to know on what ground(s) they are processing personal data and they need to maintain relevant documentation on processing activities.
What fine will businesses face if they breach the GDPR?
The penalties for breaching the GDPR are fines; at present, the highest fine is €20 million, or up to 4% of the company’s annual turnover, whichever is highest. However, these fines are only applicable for extreme cases and serious breaches.
The fine system works in a tiered format, so smaller breaches will not be subject to the same penalties. Even so, the fines are still far steeper in the new GDPR than they have been previously.
What’s the difference between the GDPR and the previous legislation?
Both the GDPR and Data Protection Directive are applicable to Europe as a whole, not just within the UK. The main difference between the General Data Protection Regulation and the previous Data Protection Directive is mainly in the nature of legislation.
A regulation, however, is an act of legislation that is binding across all of Europe and must be followed fully by all countries within its domain. If your company collects personal information from within the EU, even if it operates outside the EU, all devices that access said data need to comply and be secure.
What NEW things does a business need to do to be compliant with the new GDPR?
- You must document your compliance – the more detail the better. The new regulations have increased importance placed on maintaining improved documentation about compliance. Businesses must now conduct audits, risk assessments, report breaches and, every time a new device connects to your network, it’s your responsibility to make sure it’s operating in line with all of your policies.
- Businesses must report any breaches within 72 hours.
- Be aware of what now defines personal data. As the scope of what is considered personal data has been widened so significantly, your business needs to get up to date on what data is considered personal as it may not have been treating it as such previously.
What is now considered personal data?
One of the largest differences the GDPR is introducing is the increase of what is considered personal data. This makes a lot of sense in the context of our ever-increasingly connected world; identifying people on the internet has never been so easy.
Here are a few of the new inclusions for what you should now consider personal data:
- Economic information
- Cultural details
- Mental health information
- ‘Pseudonymised’ data (such as social media usernames or other online personas) – providing it’s easily identifiable
Most businesses will be processing personal data . . . so being up to date on the GDPR requirements and compliancy is essential.
How can we help you prepare for the GDPR?
Whilst GDPR remains the organisations responsibility, there are some things that we can do to help you ensure you’re on track to be compliant by May 25th. While you may think of your PC and virtual files when you consider data, there is a lot contained in the office too. Let’s talk about a few ways to keep that data compliant.
MPS (Managed Print Services)
You may not have previously considered printers to be a potential area of risk for a data leak, but they’re vulnerable for multiple reasons:
- They contain physical data. Printed documents often contain data – how is this being protected? Who has access to it? Is it compliant?
- The new GDPR requires you to demonstrate how you are compliant; a good example of this being documentation. Most employees don’t necessarily think about what they’re printing, if it’s personal data – and whether it’s a breach of the GDPR – let alone document how their printing habits are safe.
- Printers can be a weak spot for hackers to exploit.
Moving forwards, your print services need a secure strategy and set up; our Managed Print Services can help by offering a audit and recommendations to be GDPR compliant.
Quills Secure Software
Quills offer a Managed Print Service specially developed for security – Quills Secure Software. The software provides a variety of features that will not only ensure your printers are secure, but entirely GDPR compliant. We highly recommend that customers of ours utilise this new service we are able to provide.
Some of the features include:
- Digital Signatures and Watermarking
- Simple tool reporting all information about a user
- Secure print release
- Erasing past users
- And more!
If you would like further information about our Quills Secure Software, read here.
Shredding and Archiving
Another crucial aspect of your office’s approach to data is how to safely store and destroy it. At Quills, we offer both destruction and archiving solutions, so feel free to contact us to help ensure your office is being compliant with data from collection to destruction.
Although a somewhat old-fashioned approach, shredding is still an incredibly effective way to securely dispose of data and remain GDPR compliant.
Non-shredded documents are readable by anyone that finds it. Such easily accessible data poses a security threat in many ways – employees can easily see documents they aren’t meant to and, if that isn’t worrying enough, so could visitors to your office. Print documents can be easily accessible by the wrong people.
Through destroying the physical data, shredding ensures that data is incomprehensible and not seen by a third party. However, there’s more to it than just running your documents through a shredder.
How We Can Help Your Data Destruction Keep GDPR Compliant
- Cross-cut shredding. There are multiple types of shredding – some more secure than others. At Quills, we offer highly secure cross-cut shredders instead of the standard strip-cut. We ensure we shred your paper between 15mm to 4mm cross cut in accordance to BSIA standards.
- Certificate of destruction. A large part of being GDPR compliant is documenting the steps you’re taking to protect data so ensure you receive your certificate of destruction for your records.
- Reputable and trustworthy. ISO9001 accredited and a member of the BSIA (British Security Industry Association) and NAID Europe (National Association for Information Destruction).
- We dispose of the paper at recycling plants. As well as making sure we’re destroying your data securely, Quills can help your business stay environmentally friendly by recycling your waste.
- Option for on-site shredding. If your business prefers to see their data shredded on-site, but doesn’t have the resources, we can accommodate you. We provide mobile shredding trucks that can securely destroy data on site.
- Of course, this is all completely confidential. Needless to say, we operate with the utmost professionalism and adhere to European standard EN15713.
Data destruction is not always necessary, so the next issue to consider is keeping data you’re storing GDPR compliant.
Quills are partners with the largest privately owned Records Management company in the UK, so we can provide an extensive list of services and a complete solution for any data you need archiving. For more information about our archiving solutions, feel free to take a look at our archiving service list.
If your office is preparing the upcoming GDPR policy changes and would like some assistance within the areas of shredding, archiving or your print fleet, feel free to contact us:
Call: 0845 078 0324 Email: firstname.lastname@example.org Live chat: www.quillsuk.co.uk