It’s been around nearly three years now and all the initial systems have been put in place; now is the time to re-visit the question – are you really GDPR compliant in the way you run your business?
Over the Christmas break I was talking to a friend casually about our work and by chance she brought up that her workplace (a housing association) didn’t really seem to have any rules or regulations about confidential waste. More than that, she said that some people disposed of EVERYTHING securely, while other parts of the office disposed of NOTHING securely……(depending on where they were sat in the open-plan office maybe?). This was so surprising to me – after all, I thought, surely everyone is aware of the dangers of data security by now? But seemingly not. It was a sharp reminder to me that there are still many organisations out there that would benefit so much from understanding the rules and then ensuring that the rules are carried out…..so here is an update of what’s what in the GDPR world…..
There are five key areas where you need to review how your business operates:
- How good is your cyber security?
How do you keep your computers, laptops, phones, and other IT equipment safe?
You need to be safe from someone hacking into your systems and someone spreading viruses.
Is your security being looked after by a reputable firm? That’s one of the best ways to ensure your data is protected. Even then, check what steps they are taking to ensure they comply with the new rules. Ask for regular reports.
Buying systems in such as invoicing systems or CRMs? Ask the suppliers how they will help you comply, or will they put you, and themselves, at risk of a fine?
- Where is the data you hold?
You need to know what data you have, where it is stored, and how it is being used or processed.
That could include MailChimp or other emailing systems, CRM systems, website contact forms, cloud storage systems, spreadsheets, or documents on your laptop or phone.
It could also include physical documents, including confidential waste.
- What are your processes?
They need to have data protection built in from the start. That means, how you get the data, how you store it, who processes it, and the legal basis for using the data, all need to be considered before you collect it.
The rights of the people mentioned in the data need to be recognised and honoured from the start. For example, there is a right to be forgotten which means you need to work out how to inform people you have their data, and how they can request you delete it.
- What is the legal basis for holding and processing data?
You can process data under GDPR rules if you have:
- Consent from the subject of the data for the explicit use you plan – for example, you will need specific consent to hold data on a mailing list, not just provide an opt-out box. You’ll also need to specify how regularly you’ll check with the data subjects.
- A contract which means you need to hold and process it – for example, holding a guarantee.
- Passing it on to save a life or in the vital interest of the subjects in another way.
- If you must hold it in the public interest (based in law).
- Your interest in processing the data is legitimate and doesn’t outweigh the interests of the person involved. This would mean passing an Information Commissioner’s Office Legitimate Interest Assessment.
- How will you deal with confidential waste?
Whether in paper form or on flash drives, image cards, or old hard drives, confidential waste could well hold personal data.
So, you will need to have processes in place to ensure they are dealt with and destroyed securely.
A costly data beach could come from the insecure handling of documents, for example.
Outsourcing your confidential waste to a reputable, experienced secure shredding company will help you comply with GDPR. Can you think of anyone?! Yes, at Taclus we are just the people for the job and would love to talk you you about how we can help you.
Who will help you?
The GDPR Alliance includes software firms, law firms, and security specialists, and its members help businesses become compliant with the new GDPR rules. You can find out more about them here.
They will help you put plans in place to cope if something goes wrong and there is a data breach.
The Information Commissioner’s Office has a section on its website with handy tips, advice, and documents. You can find it here.
Why you should choose Taclus Confidential – A South Wales secure shredding company
We offer confidential paper waste and hard drive destruction services at affordable prices.
Taclus Confidential holds the accreditations for ISO 9001:2015 for quality management and ISO14001:2015 for environmental management, and has been certified by independent auditors IQS for both.
Taclus has also been selected as the confidential waste management partner for Keep Wales Tidy.