The EU’s General Data Protection Regulation (GDPR) comes into effect in May 2018, requiring organisations to apply sound security practices to all electronic and paper-based personal data with respect to its collection, storage, access and disposal.
Part of the requirement is to put plans in place for what should happen in the event of a breach. Whilst electronic data security has been top of mind for many organisations for many years, the security of paper based personal data is often neglected or overlooked.
How to avoid paperwork breaches
Introducing clear rules about the use of paper documents containing information about an identifiable person and their personal data – defining what is ‘personal’ – and then the process for correct shredding of documents – based on the sensitivity of the data contained – is the first step towards compliance. A clear and firm document shredding policy is required supported by robust GDPR compliance process. A lot of the GDPR obligations placed on businesses are common sense and should already be in practice in companies with solid data privacy and protection processes in place.
Here’s a quick six-point check list for compliance requirements:
1. Appoint a Data Protection Officer – keep records of all data processing activities performed by the company. This officer must be fully commensurate with the organisation’s responsibilities regarding GDPR and have a thorough understanding of what data within your organisation counts as ‘personal’, where it’s kept, who has access to it, how to spot breaches when they occur and who to report this to. The Data Protection Officer doesn’t have to be an employee – you can outsource this function.
2. Assess your systems – Review all contracts, technology support, procedures and tools that relate to the processing, handling, storing and deleting of data to enable you to identify any weaknesses or gaps that require changes to be made.
3. Develop a strategy – Construct a new strategy that will ensure full compliance with the GDPR. This strategy may encompass new investment in technology, revise staff procedures and responsibility for data processing, create new roles within the organisation.
4. Implement a new organisation policy – The next step towards GDPR compliance is to put your plan into action throughout all levels of the organisation. Invest and introduce new technologies and systems required in the workplace and publish an informative data handling and processing guide.
5. Employee engagement – Launch your new data compliance policy to all staff; provide training, information and guides to employees so they are educated and aware of the changes taking place and their responsibility in ensuring that the company meets the requirements of the GDPR.
6. Review and improve – After launching your GDPR compliance plan, now is the time to review and improve before the regulations come in effect. Identifying any necessary improvements well in advance of the GDPR’s deadline, once May 2018 arrives your organisation will have successfully and efficiently adapted to the changes and be completely compliant.