Last August, as most businesses will know, the British Government announced their plans to bring the General Data Protection Regulation (GDPR) into law via their new Data Protection Bill. The GDPR marks perhaps one of the biggest shifts in data protection laws in UK history, and all businesses (no matter their size) need to be prepared for its enforcement in May 2018. We’re a professional document storage and management company, so it’s our duty to know all about the GDPR so our clients know their data is in safe hands. In this post, we’ll be giving you the lowdown on how the GDPR works, the kind of changes it brings to the current Data Protection Act (DPA), and what your business can do to ensure total compliance with the changes. It’s still not too late to make necessary changes to your business and avoid getting a penalty!

What exactly is the GDPR?

The new General Data Protection Regulation has a similar function to the Data Protection Act that has been in legislation since 1998. They both aim to control the means by which information is handled by businesses and individuals alike, all while securing legal rights for those who have information stored about them. Since we help businesses manage and destroy large amounts of their confidential data, we are in essence helping them stay compliant with the current DPA and (as of May this year) the GDPR. Our practices are in line with UK legislation, thus reducing our client’s risk of both government penalties and business fraud.

But the new GDPR is not exactly the same as the DPA, and you will still of course need to pay attention to the major differences and alter your company’s practices accordingly. As the Information Commissioner’s Office states: “Many of the GDPR’s main concepts and principles are much the same as those in the current DPA, so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.”

Who will the new data protection regulations affect?

As an EU directive, the GDPR affects all member countries within the European Union. This means that the requirements and recommendations within the regulation apply not only to all businesses within the UK, but also those businesses that hold EU data. Many companies seem to be taking the regulation less seriously because they believe that it won’t be relevant once Brexit overrules EU directives. However, the UK Government have claimed that the GDPR will apply regardless of our departure from the EU. As such, companies should still prepare to change the way they handle sensitive data, even if those responsible are confident that the UK will achieve a so-called hard Brexit. Being unprepared could have dire consequences for both your business and any clients or customers with whom your business deals.

As stated above, the ICO claims that there will be a number of “significant enhancements” to current data protection legislation brought about by the GDPR. What are these enhancements, and how will they apply to your business?

Consent

The GDPR makes it more difficult for companies to obtain the consent of individuals (e.g. via contracts and forms) due to a number of new restrictions. The ICO’s GDPR Consent Guidance document explains how the definitions of consent outlined in both the DPA and GDPR differ, while exploring how companies should go about asking for consent. Perhaps one of the main changes is to the use of pre-ticked boxes within online forms. These tools are used to automatically gain the ‘consent’ of customers (for mailing lists or promotional materials) without having them perform a certain action. With the new GDPR, these will be banned  as they bypass the need for customers to actively opt in to their services.

Likewise, businesses are required to keep a record of consent at all times. This involves the need to demonstrate exactly who consented to something, how and when they consented, exactly what they were told before consenting, as well as whether or not they have withdrawn consent after their initial consent was registered.

Individual rights

In addition to placing restrictions on the ways in which companies can gain people’s consent, the GDPR will also grant individuals more rights over their personal data. This will include the following notable rights which have previously been hot topics within the media:

  • The right to object and restrict processing (individuals can object to their data being held)
  • The right to be forgotten (individuals can request or demand to have their data removed)
  • The right to data portability (individuals have a choice over where their data can be sent)

Furthermore, individuals can complain to the ICO if they feel their information is being misused. These new individual rights will not only grant more freedom and power to individual consumers, but also ensure that businesses are keeping in check and not misusing personal data. As such, your business should take extra care when obtaining, using, and storing such data in order to avoid infringing on these strengthened individual rights.

Data protection officers

According to the ICO, certain organisations are required to designate a ‘data protection officer’ to oversee their handling of company or personal data and enforce the GDPR on the scene. These officers can be acquired internally or by hiring a third-party GDPR advisor. In summary, those organisations who now require a data protection officers are as follows:

  • Public authorities (not counting courts acting within their judicial capacity)
  • Organisations that carry out the regular and systematic monitoring of individuals
  • Organisations that carry out the large scale processing of special categories of data, (including health records and information about criminal convictions)

The ICO have claimed that these data protection officers have been enforced to ensure that such organisations take “proper responsibility of (their) data protection compliance and (have) the knowledge, support and authority to carry out their role effectively”. For those companies who come under this remit, you had better get on the job hunt before May!

Why should you comply?

Yes, becoming compliant with the new GDPR may seem like a lot of hard work, but it’s worth it – after all, this is a matter of the law. What is at stake if a business fails to comply with the GDPR? In short, you are risking huge fines. While businesses ignoring the DPA faced fines of up to £500,000 (after enhanced powers were granted to the ICO by parliament in April 2010), businesses ignoring the GDPA are looking at much larger fines. The potential punishment will now be a fine of either up to £17 million or 4% of a company’s annual turnover, depending on which is higher (and thus how large the organisation is).

As such, the fine you could receive depend on the nature of your noncompliance, but ideally you will never find out what the exact amount is! If you didn’t take the GDPR seriously before, hopefully you will now that you understand the risks associated with noncompliance.

Under the DPA, it was the responsibility of certain organisations to report major data breaches to the ICO within 72 hours of its occurrence. But with the GDPR, this responsibility extends to all organisations who experience data breaches of a certain type. According the the ICO, businesses should give notice of a breach when it’s “likely to result in a risk to the rights and freedoms of individuals”. This is fairly broad, but they specify that it applies to breaches that may result in significant financial losses, risk to confidential information, damage to reputations, and “any other significant economic or social disadvantage”.

Is your business compliant with the GDPR?

Perhaps the best way to answer this question is by reading through the ICO’s official document on preparing for the GDPR. Many businesses will already be compliant with the DPA and as such will not require major revisions to their company policies. However, with the above changes in mind, all businesses should look at how they deal with consent and individual rights before deeming themselves compliant (read through your existing privacy policy to be sure).

In sum, here are the main questions every business should be asking:

  • Is there anyone within your business who should be informed and educated on the GDPR and how should you go about making sure they stay compliant?
  • How does your business deal with data breaches? Is there a process set in place?
  • Does your business need to recruit a data protection officer? How will you go about doing this in an efficient and responsible way if it is necessary?
  • Is it clear to customers that they can withdraw their consent from your business at any time and that they have a right to file a complaint with the ICO if they need to?
  • Does your business use ‘default consent’ and, if so, what changes need to be made?
  • Who within your business is responsible for keeping track of the destruction of data, and for how long will this information be kept on your company records?
  • How does your business currently handle the storage and destruction of personal data?
  • Are there any immediate changes that you need to make to the way your business implements, enforces, and records these processes?
  • How will you track when, how, and why individuals grant your business their consent?

Do you need help with GDPR compliance?

The GDPR can be tricky territory to navigate for any business, especially for those who require many changes to internal company policy and major overhauls in their storage procedures. However, many of these processes can be outsourced to document management companies like Flexible Storage Solutions. We can help your business comply with the GDPR by:

  • storing your company documents within fireproof boxes and secure vaults protected by 24hr CCTV, ensuring that your confidential data does not fall into the wrong hands;
  • tracking your documents via a secure online document management system which grants you on-demand access to scanned copies of all your physical documents, and;
  • destroying any documents you have stored with us using safe and efficient industrial grade shredders while keeping a comprehensive record of all the data we destroy.

We are fully compliant with the GDPR and will be happy to take this load off your shoulders. When you outsource to a company that has knowledge and experience with data protection, you can focus on the growth and success of your business rather than matters of compliance. Interested? Get in touch with one of our professional storage consultants here to get a quote!

April 6, 2018