In May 2018, the GDPR came into force. This is a regulation set down by the EU that oversees the way that companies use the data of citizens of EU. In practice, it has meant that almost every business across the UK has had to make changes to that way it stores data and documents containing personal information.
If you are not currently compliant with the GDPR’s rules and this is discovered, you could face heavy fines. It is important, then, to understand exactly how the GDPR is changing the way that businesses store, uses and destroy data and documents.
The rights of the individual become the important factor
The most important and overarching change that the GDPR makes in terms of data and document storage is that the rights surrounding that data shift to the individual and away from the company. If your businesses handles, stores or uses any kind of personal data that can identify a person – from their IP address to their banking details – they have far more rights over that data that was previously the case.
For example, an individual has the right to know which aspects of their data is being stored as well as how it is being used. This has forced many businesses to reach out to people and re-confirm that they are happy to have their data stored and used in a certain way.
Also read: How To Protect Yourself From HR Data Loss
However, knowledge is not the only new right of the individual. It is also true that a person can request to have their data deleted or destroyed from a company’s database at any time – even if they have previously given permission to hold the data. Additionally, they can request their data be altered or modify the way it is being used. The exception to this rule is if the company can provide a legitimate reason that they need to retain an individual’s data.
Software and services that you trust
These changes surrounding the rights of individuals mean that businesses have had to make significant changes to their practices. For example, as it is the case that individuals can now request full details on what data of theirs a company holds, it is vital that there is software and structures in place that the data of an individual can be recalled immediately. Additionally, it must be possible to have this data deleted without ‘undue delay’.
Additionally, remember that if your business is responsible for the data you need to complete faith and trust with any external services that you use, as well as the software that the data is stored on or used with. Remember that if you suffer a breach you need to make anyone whose personal data was at risk of being stolen aware of this within 72 hours. If you currently work with software that does not have this capability that you may need to make changes to your own system or change the software completely.
Physical document destruction
When we think about the impact of the GDPR on businesses, it is common to focus on digital data as this is the type that is most often affected by the regulations. However, it is important to remember that the GDPR takes a broad view and oversees all forms of data – this includes physical documents. If your business is still in the habit of using paper copies of a document that contain personal data then you need to ensure that you are also disposing of documents correctly.
This is an area where you need to be careful. Don’t assume that it is safe to shred the documents and then throw them away with other office waste. Criminals commonly exploit this lazy practice and steal rubbish bags with the purpose of retrieving poorly shredded documents and gaining information for them.
Under the GDPR is vital that businesses hold a destruction certificate to show that documents have been disposed of in the correct manner in compliance with the rules. Remember that a data breach has consequences that are just as serious for physical copies as they are for digital copies under the GDPR so you need to ensure that you are following the regulations correctly.
Image via Pexels.com