It’s time to stop panicking about the General Data Protection Regulation being brought in on May 25.
There will be strict new rules about dealing with personal data, anything which could lead to the identification of an individual in Europe (including post-Brexit Britain).
Those rules will affect mailing lists, lists of job applicants, client lists, invoices, and other documents. They will apply to paper documents as well as items held on computers.
Yes, it’s the biggest change to data protection in a generation and fines are increasing, but…
Stop! It’s time to focus.
There are five key areas where you need to review how your business operates:
- How good is your cyber security?
How do you keep your computers, laptops, phones, and other IT equipment safe?
You need to be safe from someone hacking into your systems and someone spreading viruses.
Is your security being looked after by a reputable firm? That’s one of the best ways to ensure your data is protected. Even then, check what steps hey are taking to ensure they comply with the new rules. Ask for regular reports.
Buying systems in such as invoicing systems or CRMs? Ask the suppliers how they will help you comply, or will they put you, and themselves, at risk of a fine?
- Where is the data you hold?
You need to know what data you have, where it is stored, and how it is being used or processed.
That could include MailChimp or other emailing systems, CRM systems, website contact forms, cloud storage systems, spreadsheets, or documents on your laptop or phone.
It could also include physical documents, including confidential waste.
- What are your processes?
They need to have data protection built in from the start. That means, how you get the data, how you store it, who processes it, and the legal basis for using the data, all need to be considered before you collect it.
The rights of the people mentioned in the data need to be recognised and honoured from the start. For example, there is a right to be forgotten which means you need to work out how to inform people you have their data, and how they can request you delete it.
- What is the legal basis for holding and processing data?
You can process data under GDPR rules if you have:
- Consent from the subject of the data for the explicit use you plan – for example, you will need specific consent to hold data on a mailing list, not just provide an opt-out box. You’ll also need to specify how regularly you’ll check with the data subjects.
- A contract which means you need to hold and process it – for example, holding a guarantee.
- Passing it on to save a life or in the vital interest of the subjects in another way.
- If you must hold it in the public interest (based in law).
- Your interest in processing the data is legitimate and doesn’t outweigh the interests of the person involved. This would mean passing an Information Commissioner’s Office Legitimate Interest Assessment.
- How will you deal with confidential waste?
Whether in paper form or on flash drives, image cards, or old hard drives, confidential waste could well hold personal data.
So, you will need to have processes in place to ensure they are dealt with and destroyed securely.
A costly data beach could come from the insecure handling of documents, for example.
Outsourcing your confidential waste to a reputable, experienced secure shredding company will help you comply with GDPR.
Who will help you?
The GDPR Alliance includes software firms, law firms, and security specialists, and its members help businesses become compliant with the new GDPR rules. You can find out more about them here.
They will help you put plans in place to cope if something goes wrong and there is a data breach.
The Information Commissioner’s Office has a section on its website with handy tips, advice, and documents. You can find it here.
Why you should choose Taclus Confidential – A South Wales secure shredding company
We offer confidential paper waste and hard drive destruction services at affordable prices.
Taclus Confidential holds the accreditations for ISO 9001:2015 for quality management and ISO14001:2015 for environmental management, and has been certified by independent auditors IQS for both.
Taclus has also been selected as the confidential waste management partner for Keep Wales Tidy.