With the European Union’s General Data Protection Regulation (GDPR) set to come into effect in May 2018 – regardless of the UK vote in June 2016 for Brexit – Robert Guice, pictured, Senior Vice President EMEAA at Shred-it, looks at the realities of the forthcoming legislation and what businesses can do to prepare.
With the introduction of the General Data Protection Regulation (GDPR) now less than a year away, the data protection landscape is set to undergo a big shake up. The GDPR outlines how the data of any EU citizen must be handled, wherever in the world the company in possession of this data operates, making it a truly global piece of legislation. It comes into force in May 2018. The requirements stipulated in the new legislation range from stricter rules around securing consent for the use of personal information to, in some cases, the introduction of a designated data protection officer within the workplace.
Importantly, businesses need to be aware that the GDPR will still apply to them when it’s introduced, even as the UK determines its exit from the European Union. Indeed, the regulation will affect all UK businesses that offer any type of service to the EU market, regardless of whether or not they store or process the data on EU soil. Once the UK leaves the European Union, EU regulations may no longer apply but this will be part of the exit negotiations and the UK Government will need to decide which regulations to retain and which to repeal. Whatever the eventual outcome of the negotiations, the GDPR’s extra-territorial effect means that the law will still apply to UK organisations if they process personal data about EU citizens.
Come May 2018, organisations will be expected to comply immediately with the legislation or they could face fines of up to €20m or 4% of annual worldwide turnover, far exceeding the current maximum of £500,000 under the UK Data Protection Act. This financial risk, coupled with the fact that becoming compliant can be a time-consuming process, means it’s crucial that businesses start implementing best practices as soon as possible.
Acting now will provide businesses with the necessary time to speak to legal counsel, as well as information security specialists so that their staff can be trained on new policies well in advance of the legislation being implemented in 2018. Above all, businesses that act now will reassure their customers, partners and employees that they take protection of their data seriously.
To help businesses fully prepare for the new data protection legislation, and to help mitigate the risks of a data breach, Shred-it has provided five tips for businesses:
1. Conduct an information audit
All businesses should conduct a thorough company-wide review into how their data is processed, stored, retrieved and destroyed through its lifecycle. To ensure that data protection is considered from the outset, companies should introduce Privacy Impact Assessments (PIAs), risk assessments which identify areas where an individual’s personal data could be at risk through its processing.
2. Implement thorough data protection procedures that are compliant with the GDPR
Once a thorough information audit has been undertaken, businesses should think about introducing tailored data protection policies that will help them mitigate the risks associated with lost or stolen data. From practical measures such as policies around keeping a clean desk and shredding all unwanted or outdated paper documents, to company-wide breach notification processes, all types of procedures should be considered to ensure employees are in the best position to help prevent a data breach.
3. Appoint a designated data protection officer
Come May 2018, public authority bodies and companies which process large volumes of personal data, will be legally required to appoint a data protection officer (DPO), whose role will be to take responsibility of overseeing data protection compliance within the company. But it’s not just larger companies who should be preparing by appointing a DPO – it’s best practice for companies of all size to assign someone to oversee data control, no matter how much confidential information they possess or handle. Ultimately, not only does a DPO ensure privacy is maintained around sensitive data across the workplace, but it also creates a new level of accountability within the business.
4. Train your staff regularly
As businesses begin to take measures to prepare for the GDPR, it’s critical that employees are involved as early on in the process as possible. Action must be initiated from the top, and executives and managers should ensure training takes place on a regular basis, not only so that employees are aware of the legislation and its implications, but also to help foster a wider culture of security right across the business.
5. Speak to a legal adviser
No matter how prepared a business feels ahead of the forthcoming legislative changes, companies are still advised to speak to a legal team which specialises in data protection legislation, in advance of the May 2018 deadline. A legal data protection expert will help identify any data security gaps in the business and ensure all necessary company-wide compliance changes are addressed. On top of this, they will be able to provide valuable practical advice which can be passed down to employees and which will ultimately serve to benefit the business in the long term.
About the author
Robert Guice is Senior Vice President of EMEAA at Shred-it. He joined Shred-it in 2004 to manage the company’s sales, services and operations in the European and Middle Eastern, Asian and African markets. When Shred-it was acquired by Stericycle Inc, in 2015, Guice was appointed as Senior Vice President for EMEAA for the combined group. Prior to joining Shred-it, he worked as a Sales and Marketing Director for the UK business of Iron Mountain and, earlier, for Marconi Software Solutions and Fujitsu in sales roles in Europe and Africa. Visit https://www.shredit.co.uk.
