When do we know we are GDPR compliant?

Seeking professional help in disposing of your data is a wise investment especially as the new GDPR is now in place. But what exactly does it mean to be ‘GDPR compliant?’  Don Robbins, Information Destruction Section chair at the British Security Industry Association, discusses

In the months before and following the recent introduction of the General Data Protection Regulation (GDPR) Act on 25 May 2018, companies and organisations across the UK will have been taking steps to ensure that they fall in line with the new procedures. A crucial part of this process will have been in procuring the right services to ensure their data storage adheres to the changes. Under the new legislation, organisations will not only have to prove that they have taken an audit on their data but also prove that that they have taken the right steps to destroy data that is no longer relevant. After this date any company seen to not be in compliance with the new rules are at risk of compromising their business.

Top of the list of tangible risks will be a raft of financial penalties being issued by the Information Commissioner’s Office (ICO), or even prosecution of those who commit criminal offences under the Act. The ICO can currently issue businesses that display poor data management in breach of the Data Protection Act with fines of up to £500,000. The largest of these fines so far was £400,000, issued to two separate companies (Keurboom Communications Ltd and TalkTalk Telecom Group PLC). In addition, there have been 19 prosecutions for criminal offences committed under the Data Protection Act during the same time period. Under GDPR fines can be up to four per cent of annual global turnover or 20 million Euros.

“One of the most vulnerable periods of the data processing cycle is the point at which data is no longer required and needs to be disposed of. If data is not adequately disposed of at the end of its life cycle, it can fall into the wrong hands and be unlawfully processed."

The other most common risk will be reputational damage leading to potential lost business; as customers are becoming increasingly aware and concerned about how businesses collect and use their personal information, businesses run the risk of losing customer confidence in the brand where they feel that their privacy is not being protected or respected. A loss in customer confidence ultimately leads to financial loss.

When it comes to information destruction, the seventh principle of the Data Protection Act stipulates that appropriate measures must be taken against accidental loss, destruction or damage to personal data and against unlawful processing of the data. So now that the new GDPR legislation has come into force, companies in both the private and public sectors will need to prove that data is securely erased in line with the new guidelines, and show that they are fully accountable for monitoring, reviewing and assessing relevant processing procedures.

How do we mitigate against these potentially expensive and reputational hazards when it comes to disposing of data no longer needed? Shredding confidential material is costly and time consuming, which for some firms means in-house data shredding is not a viable option, and this is true for those handling vast amounts of data across a variety of sites. In these situations outsourcing to a regulated information destruction (ID) organisation is the most practical alternative.  

“In the last twelve months alone, over £4.1 million worth of fines have been issued to businesses that have failed to comply with the Data Protection Act.”

By engaging a company who specialises in this service, either on or off site at a high-security shredding facility, gives organisations the reassurance that it is being done to the highest standard. Registered data shredders have to comply to the highest industry standards which are regularly updated and providing this service has to be able to demonstrate that they are certified to EN15713 – the European standard for data destruction. This standard sets out the measures that organisations should take to maintain the security of confidential data and provides recommendations relating to the management and control of collection, transportation and destruction of confidential material to ensure such material is disposed of safely and securely.

“There has been increased demand for these services from both existing customers and new queries, asking about GDPR and how information destruction can assist, but even at this late stage there is confusion around what it means to be fully ‘GDPR compliant?”

GDPR represents a great opportunity for information destruction companies. In the current climate there has been increased demand for these services from both new and existing customers, asking about GDPR and how information destruction can assist. But even with all this help at hand there is still confusion around what it means to be fully ‘GDPR compliant’; not just from the point of view of the customer - but also, how does it affect the industry itself as holders of their own data?

Industry feedback from customers shows varying levels of concern, from companies looking for accreditation to others happy with a downloaded template data policy or standard T&C’s to others simply ignoring the deadline. From an industry standpoint there are three elements that could affect information destruction as a business; their own data responsibilities, the shredding services provided for the destruction of data as a data processor, and marketing to opted-in existing and prospective clients.

These elements are all currently open to interpretation (both by experts and customers) and are most likely common across all industries, so it is arguable that even with all this information at hand companies are still not fully aware of their obligations, no matter how robustly laid out by the ISO.

Of course some of these issues opens up opportunities for companies dealing with data to create new services from these companies but it shows that even at this late date there is still work to do in communicating what companies need to do and so close to a major data milestone.

What is data destruction?
Secure data destruction is the process of destroying confidential materials to the point that they cannot be reconstituted. These materials can take many forms, including paper, computer hard-drives, branded products and uniforms, but crucially, they all hold the potential to cause problems for business, employees or customers if they fall into the wrong hands.

Information destruction companies provide a range of services to help businesses of all sizes to protect themselves from the risks associated with data loss or theft. Shredding of materials can take place at business premises using a mobile shredding vehicle, or materials can be collected and shredded at a high-security shredding facility. Whether confidential materials are shredded on-site or at a high-security shredding facility, businesses that outsource their shredding to a professional service provider can be assured that the data will be completely destroyed.

Additionally, the services provided by an information destruction company extend far beyond the actual destruction of confidential material. These services can also include secure document storage, data security advice and guidance, office clearance and recycling.

Every business will collect and generate confidential information relating to its operations, its employees or its customers. When this information is no longer required, there can be severe consequences for the data subjects if the information is not correctly disposed of and subsequently falls into the wrong hands.

Therefore, any business that collects, holds, processes or disposes of a person’s personal information has a responsibility to ensure that it is protected from loss or theft. In fact, since the Data Protection Act was passed in 1998, there has been a legal obligation for businesses to act responsibly with regards to how they use personal information.

Under the Data Protection Act 1998, everyone responsible for using data has to follow the data protection principles. These include ensuring that data is used fairly and lawfully; for limited, specifically stated purposes; used in a way that is adequate, relevant and not excessive; accurate; kept for no longer than is absolutely necessary; handled according to people’s data protection rights; kept safe and secure; and is not transferred outside the European Economic Area without adequate protection.

This has now changed as of 25 May 2018, when the General Data Protection Regulation (GDPR) came into effect in the UK. The GDPR has potentially significant impacts on the ways in which UK businesses collect and process the personal data of individuals.

All organisations globally are obligated to provide evidence of compliance and can be fined for any data breach. Failure to comply could lead to tough financial penalties. The definition of personal data is now broader there will be stricter rules for obtaining consent as a legal basis for processing personal data. As a data controller a company must have a legal basis for processing and collecting personal data and must ensure adequate contracts are in place to govern data processors.