Is Your Company Prepared for the New GDPR?
What is GDPR?
The European Union have replaced the Data Protection Act 1988 (DPA) with the new General Data Protection Regulation (GDPR) which will be in place for all organisations who operate within the EU on the 25th May 2018. The directive is designed to improve the way that companies collect, handle, process and archive personal data such as HR documents and customer’s confidential information.
Personal data that needs to be protected under the GDPR is any information regarding an individual that can be identified from that data, such as names, address, job etc. Sensitive data includes information like racial origin, sexual orientation, political opinions etc.
What’s different about GDPR?
The GDPR is very similar to the DPA but the new regulation introduces updated security requirements when processing and storing personal data. All organisations are expected to prove that they’ve implemented the “Data Protection by Design and Default”, which is outlined in Article 52 of GDPR. This implies that all companies will need to invest in additional technology, processes and training in order to secure and manage client’s personal data.
A key change highlighted by GDPR provides the right for individuals to request confirmation from the data controller as to whether their personal data is being used, where and for what purpose. Additionally, the controller is required to provide a copy of the individual’s personal data in the same format that it was requested, whether it’s electronically or manually posted. Individuals also have the right to be forgotten and their personal data to be deleted from a database.
Another aspect that has been prioritised with the GDPR is the protection around cyber security. This is due to the recent increase of social media, instant messaging and other digital communication platforms that are now introduced in day-to-day business, as it involves customer’s IP addresses relating to locations.
What does this mean for your business?
Due to individuals now having the right to access and request their documents, organisations should be prepared to send an electronic copy of the data that illustrates how the data is being used and for what purpose, if it was requested electronically, within 30 days. For instance, if the request is made via email, the information should be provided in a commonly used electronic format, such as a pdf.
It would be very impractical for businesses if a large quantity of people requested a copy of their personal data, as it would cost time and money when constantly sending the documents over. If the individual requests for the copy over email, it’s essential that an electronic copy is sent.
Cleardata’s scanning bureau is the largest on-site user of the specialised Kodak Alaris scanners that output 420 scanned images every minute, which effectively speeds up processing times on companies who do not specialise in document scanning.
Cleardata can scan your company’s documents that contain personal data e.g. HR records that need to be managed efficiently, with an audit trail of how the data is being processed. The company can index the documents by employee name, which allows each file to be easily searched and sent over quickly.
Organisations are also expected to only store personal data if it’s absolutely necessary and in secure premises. Cleardata’s archiving services provide a fully secured facility that’s purpose built to store and protect documents, with the ability to provide a full audit trail of all staff and processes.
How does Cleardata comply with GDPR?
In regards to GDPR’s latest rule in the protection against cyber-attacks, Cleardata is certified to Cyber Essentials and Cyber Essentials Plus which is a new scheme introduced by the government, designed to make the UK a safer place to conduct business online. This certification allows customers to confidently trust that their business and data is secure against the threat of a security breach online and onsite.
Although the regulation doesn’t come into effect until 2018, the government is encouraging organisations to start taking measures now to ensure all necessary processes and procedures are in place to meet these guidelines.
In order to be GDPR compliant, Cleardata will be able to demonstrate a number of data protection regulations, including the following:
- A clear process for the indexing of storage projects which allows a full index list to be provided to customers and allowing quick, efficient and timely file retrievals
- All projects that Cleardata publish have an associated index list with contents of each box, this allows for file retrievals to be carried out quickly and efficiently
- Offer a secure, encrypted file transfer via an SFTP connection to expedite the process of file retrievals
- Undertake secure on-site shredding in line with BS EN 15713:2009 Code of Practice, this allows the efficient destruction of documents with a full audit trail
- Customers are able to make requests and shall receive a reply within 30 days
- Customers have the right to erasure and the right not to be profiled
- Data processors are now regulated in the same way as Data Controllers, with joint liability in the event of a non-compliance
- All Cleardata staff who handle personal data will be provided with adequate training, with a full audit trail
- Cleardata’s archive facility was purpose built to meet necessary data protection requirements
What happens to organisations who refuse to comply with GDPR?
Any organisation that fails to comply with GDPR rules and regulations set out by the EU could face harsh consequences, such as fines of up to €20 million or 4% of the company’s annual turnover, whichever is greater.
Ensure your data is safe with Cleardata
Cleardata’s secure archive facility is additionally protected with biometric finger entry systems, Redcare security systems, 24 hour CCTV, secure perimeter fencing, Vesda enhance fire detection systems, Hydrosense water detection systems and temperature controlled detection storage facility.
The company’s scanning bureau is also accredited for ISO9001 Quality Management and ISO27001 for Information Security Management. As well as Cyber Essentials Plus, Cleardata is PCI compliant and is BS EN 15713 certified for the secure destruction of documents.
Outsource your company’s important and confidential documents to Cleardata, with assurance that all data will be handled, processed and archived securely through measures that are GDPR compliant.
Find more information on the GDPR here.
For more information on how Cleardata’s GDPR compliant services can help your organisation achieve hassle-free compliance, please contact us on 0800 046 8081.