The Data Protection Bill was published in Parliament last week (14.09.17) by Digital Minister Matt Hancock. The EU's GDPR are fully incorporated into UK law under what will be known as the The Data Protection Act 2018 - due to come into effect 25th May 2018. One of the biggest differences from The Data Protection Act is the greater liability placed on data processors, which if breached could result in much higher fines of €20 million or 4% of a firm's global turnover (whichever is greater). We have created a guide to GDPR and Data Destruction for your information.
Download our 5 step guide to GDPR and Data Protection.
Creating awareness within your organisation of the new rules is the first step to making sure you are compliant with GDPR. Organisations need to make sure all employees (paricularly decision makers) are aware of the new rules coming into effect on 25th May 2018 and the risks involved in non-compliance.
There are a number of key areas within all organisations that involve processing data. Below demonstrates just a few.
To ensure all parts of your organisation comply with the new GDPR regulations, it is key that data processing has been thoroughly assessed to eliminate risk. We will provide some guidance on assessing the data destruction aspect of your organisation in point four.
An organisation should engage with the following actions:
After conducting an audit of your data processes, you should now know exactly where your data is being outsourced to, whether that is storage facilites, data destruction facilities and any other 3rd party facilities.
The next step would be to audit your data destruction process.
One of the biggest differences in the new GDPR compared to the existing Data Protection Act is the increased liability and fines for data breaches. There is likely to be a significant shift in focus towards preventative measures and auditing how and where your data is destroyed and stored. Most organisations will need to review the GDPR shredding requirements to reduce risk of data breaches and be compliant with the new Data Protection Act 2018
Topwood has provided a comprehensive guide to a secure destruction process.
1. Create a standard policy and communicate it to employees. For example this could include a poster outlining your shred all and clear desk policies. Download our free poster to place above your confidential waste bins here. This will reinforce awareness and reduce risk of human error when it comes to data breaches.
2. Once no longer required, employees should safety dispose of documents or media in shredding receptacles (locked consoles and wheelie bins where there is no access to the documents once deposited).
5. At the end of the data destruction process, you should receive a Certificate of Destruction, for your duty of care and information to conform to the new GDPR regulations.
Once a secure data destruction process is in place, your organisation should be auditing your 3rd party organisations. Some key questions to ask would include; where does my waste go? Is it being destroyed on-site? Is it being destroyed off-site? If off-site, have I audited the facilities? Please see our guide to identify if you have a compliant Shredding contractor.
Click on the thumbnail to download our GDPR Data Destruction Audit Template
If you would like more information about how to become GDPR compliant, contact us on 0800 781 1066 or email us at email@example.com