At the end of 2017 the ICO announced a charity employee had been prosecuted for taking and sharing personal details of 183 people including their date of birth, telephone numbers, medical information and full names. The individual was fined £1860.25 and a £15 victim surcharge for breaching Section 55 of the Data Protection Act 1998. Read on to find out how this could change with the upcoming General Data Protection Regulation enforcement.
This serves as a reminder to all companies and data controllers that organisations need to make all employees aware of the requirement to ensure all reasonable measures are in place to prevent the loss, theft or misuse of their data. Although the organisation did not get penalised, this news story is a reminder that the ICO will take action if companies or individuals fail to comply with the Data Protection Act. These penalties are set to rise under the new Data Protection Act 2018 to 4% of annual turnover or 20 million Euros for the most serious breaches in May 2018.
What can you do to make sure your organisation and employees conform to the new GDPR details?
From a data destruction point of view your business must ensure: …
If you do not currently employ the above measures your data and reputation could be at risk.
Regular data destruction is the most efficient method to ensure your organisation conforms to the GDPR guidelines. Leaving sensitive documents like HR records, payroll information and old accounts records in archive rooms, store rooms and warehouses increases the risks of prying eyes and security breaches. Some data needs to be kept for legal reasons, therefore a retention schedule should be in place mapping how long data and documents are kept for and what data they will be destroyed.
To find out the first steps to take to conform to the new GDPR regulations take a look at our 5 step guide.
Another important step to take is data mapping. Individuals will have the ‘right to be forgotten’ meaning they can request their personal details be deleted and destroyed. The data controller then has 30 days to respond to these Subject Access Requests. In order to respond under the GDPR guidelines, data controllers must have a comprehensive data management system in place to identify where they have stored individuals data and personal information.
Topwood are able to supply an Electronic Document Management system in combination with a secure off-site storage service, scan on demand service and confidential shredding service, which enables us to provide you with an easy solution to your data mapping. All of Topwood’s services are regularly audited and we are certified with the highest standards reinforcing the guarantee that you will be compliant with the new GDPR regulations.