Your Basket is Empty
NEVER allow old Confidential Information to leave your premises un-shredded.
An Introduction to the New ‘European General Data Protection Regulations’ - GDPR
Don Ruffles Limited (ShreddingMachines.co.uk), in conjunction with our shredder suppliers, are distributing a white paper to give readers a basic introduction about GDPR. It will highlight what the new regulations will mean for you and how these changes will affect the way we all do business. New research commissioned by Office Products vendor Fellowes UK, has revealed widespread confusion around impending changes to EU Data Protection Laws:
We highly recommend that this white paper is distributed to all business owners and managers potentially affected by the high-profile, scary media GDPR headlines, as this law comes into force in May 2018.
'A failure to comply could lead to huge fines of £18 million (€20m) or 4% of global turnover'
The synopsis below shows how the new regulation will radically change the way your business will need to take care of your staff, customer and supplier personal data, or if ignored, how you could potentially face huge fines or even bankruptcy. If sensitive data is lost or stolen, even by cyber-attack, companies will have a responsibility to report the breach, normally within 72 hours. They will be required to show the processes they follow for the storage and destruction of hard copy paper documents, as well as information held on all other types of data carrying devices e.g. mobile phones, tablets, PCs, laptops, and photocopiers.
Please note, it is not just about paper. It is vitally important you consider not only how you securely store sensitive information, but also how you plan to effectively destroy redundant digital memory, optical disks, hard disks, hard drives, magnetic tapes, microform, paper, SIM / smart cards, or even visual display units, where screens can hold data.
You also need to consider Visual Data Security as well as Physical Data Security - here are a couple of practical examples:
Laptops and PC Screens WILL be required to be fitted with specialist PRIVACY FILTERS to stop snoopers snooping.
Whilst the implications are incredibly scary, don’t worry as you have time to react, but don’t leave it too late. Here at Don Ruffles, with our unique depth of knowledge of data destruction, storage planning and privacy requirements, we would love to help you.
Practical advice from a proven supplier:
Powered by Ruffles - as the largest supplier of security shredders in the UK, via our ShreddingMachines.co.uk website, we have over 20 years-experience in recommending all types of shredding machines, media destroyers and hard drive degaussers. If you would like other vetted contractors to shred your sensitive data for you, consider our MobileShredding.co.uk services. We can offer the best advice on the most appropriate safes and other storage devices to keep all of your data safe and secure via SafeRunner.co.uk. Plus our OfficeSuppliesWorld.com features a full range of privacy filters for every type and size of screen to help you with your visual security requirements.
There is a huge amount of information to digest, but because these new regulations are so vitally important to us all, we hope that you find the enclosed helpful. Please note that as this is our general interpretation of the regulations, and your specific needs may require more specialist knowledge, we would always suggest that you speak to your legal team for more advice.
If you require any further detail or product recommendations, please call one of our advisors on 0845 5555 007 or 01293 775248, or email firstname.lastname@example.org, where our experienced staff would be delighted to help.
So, let's get some GDPR detail
What is the GDPR all about? The European Union (EU) has changed the way that all businesses must deal with their data protection rules. The changes are now law, and they will go live across the EU on 25 May 2018. These new rules are called the General Data Protection Regulation, or in short – GDPR, and will apply to all public authorities and any size or type of business.
What is EU Data Protection? In the EU there are existing legal rules regarding the collection and processing of personal data. Anyone who collects, processes or holds any personal data has a duty to protect it from misuse and comply with a range of legal requirements. GDPR simply upgrades the existing rules, and the new rules enhance how businesses currently deal with their data protection, corporate fraud and identity theft requirements.
Do these new rules apply to electronic data as well as paper copies? Yes, the GDPR will apply to electronic data (like emails and databases) and to hard copy files with a few exceptions. This means that you will have the responsibility to protect not just all paper-based files, but also information held on other data carrying media. You will need to keep all media holding sensitive and personal information (like paper, SIM or smart cards and microform) physically secure from other staff. When this is not required any more, dispose of it securely - for example, with suitable cross-cut paper shredders, so data is no longer visible. If your current shredder only produces strips that could easily be put back together, consider the use of a more secure, higher security shredder.
Other data media carriers which hold sensitive and personal data like hard drives, digital memory, and magnetic tapes, will all need to be wiped clean (degaussed) or shredded through more specialist machines so information cannot be accessed and viewed.
What kind of fines can my business face for breaching the rules? This is the very scary part! Under the new regime, data protection regulators can impose massive fines for infringing on the new rules. The highest level of fine can be either a maximum of £18 million or 4% of your businesses global annual turnover, whichever is the higher. Although not every breach will result in the highest fine being imposed, we are urging all of our customers to set out a plan to make sure that they follow the rules, as not doing so could be potentially disastrous.
Will businesses have to do more? Yes, every organisation will have more responsibilities and your obligations under the new rules, in particular to implement technical and organisational measures to make sure that data is processed properly, will inevitably need reviewing. To assess the correct level of security required in storage, secure destruction and the potential viewing of sensitive information by others, you must consider all of the risks that are presented. You will also need to be able to show what measures you have taken, if a regulator should ask. An important part may be to check who you are sending personal data to. For example, you may need to check the processes of people you share information or work with, like mailing houses, external shredding companies and employment agencies to see if the personal information you are sending them could potentially be viewed by others?
Are there any examples of cases where people have got things wrong? - The lesson for failure to comply can be painful.
Recently, the UK’s data protection regulator, the Information Commissioner’s Office (ICO), fined a local authority £100,000 for failing to have security measures in place to guard against the accidental loss or destruction of data where documents containing personal data of around 100 people (including adults and children in vulnerable circumstances) were found by the purchaser of a disused building.
In Holland, some public transport operators were fined by the data protection regulator because they kept transaction data longer than necessary. The operators were initially told by the regulator to either delete the transaction data or anonymise it – the operators decided to keep the data and anonymise it, but the anonymisation techniques were not sufficient in at least one case and as a consequence one operator had to pay a fine of €125,000.
In Spain there have been several enforcement cases by the data protection regulator where documentation containing personal data was dumped in waste bins or in the street – in at least one case the documentation was only partially shredded and in other cases the dumping was due to the failure to shred or properly destroy the documents.
You will all have read about (and some may even be personally affected by) the Equifax data breach of 143 million customers. During this scandal, customers’ names, social security numbers, dates of birth and other personal information was exposed.
Will I have to put data protection at the heart of what I do? Yes. As privacy must be built in to all of your processes, businesses will have to put in place ways of making sure that, by default, only personal data which needs to be processed, is processed. As a result, you’ll have to ask yourself:
Data you need must be securely stored and data you do not need any more should be securely destroyed
Will consent be required for data processing? Yes. As generally-speaking there must be a legitimate reason for processing personal data. If consent is being relied on to process data, under the new rules a person’s consent must be freely given, specific, informed and unambiguous. Silence, opt-outs or inactivity can’t be relied on and instead an active process such as box-ticking will have to be put in place. Businesses must also be able to demonstrate that consent has actually been given. Make certain that you have processes in place that meet all these requirements.
Are there any new rights? Yes. A series of new rights have been introduced including:
Implementing these new rights will be challenging for many organisations, although it should also be emphasised that all these new rights are qualified, and there are some exceptions, so we recommend that specific professional or legal advice should be taken.
What about people asking to see their data? The ability for people to exercise their right to gain access to data held on them, technically called a SAR or ‘Subject Access Request’, continues under the new rules, and must be answered within one month, although an extension may be granted in some circumstances. Also, the ability for a business to ask for a fee to respond to a SAR has been abolished so it is expected that there will be a significant rise in the number of SARs being made, especially given the rise in email and cloud applications. SARs are also expected now to be costlier and complex to deal with, so an essential part of any organisation’s future data protection strategy will be putting proper processes in place to deal with Subject Access Requests.
Will I need to appoint a Data Protection Officer? Possibly, as under GDPR, public authorities must appoint a Data Protection Officer (DPO) and a DPO will also have to be appointed for businesses to deal with data protection compliance in some circumstances. Again, we would recommend you take legal advice on this as the rules are quite complex and it depends on what you do and potentially where you do it. Given the significance of privacy compliance today, even if technically speaking a DPO is not required, you should consider appointing one anyway.
Will I have to report data breaches? Yes. Ensuring your data is secure is one of the backbones of the new rules. What constitutes a data breach may cover many situations including lack of proper or non-secure destruction, data loss, alteration, unauthorised disclosure of or access to personal data. Breaches will have to be reported to the relevant data protection regulator, without undue delay and where feasible, no later than 72 hours after becoming aware of the breach. You will also have to detail what action has been undertaken to mitigate the breach. People affected by the breach must also be informed of the breach without undue delay when the breach is likely to result in a high risk of their rights and freedoms. There are some limited exceptions to both reporting to a regulator and informing people, for which proper legal advice should be sought.
Data breach reporting is made more complicated still by the fact that some countries already have their own data breach reporting obligations. Data breach reporting may be required under other rules and regulations, particularly in the financial and health sectors and additional, separate legislation is and may be implemented across the EU in line with EU Cyber Security.
What about liability and compensation? As a principle, anyone who has suffered damage due to an infringement of the new rules, will have the right to potential compensation from those controlling or processing the personal data in question, subject to some exceptions. As a direct result of the extra risk that a data infringement may now bring under the new rules, especially of a data breach, businesses should take the maximum steps to minimise their exposure to potential compensation claims. Businesses must therefore put in place a clear data breach action-plan and policy as a top priority.
What kind of privacy impact assessments will have to be made? Under the new rules, a ‘Data Protection Impact Assessment’ or DPIA must be carried out when processing data which is likely to result in a high risk for people’s rights and freedoms. This impact assessment, which must be done prior to the processing, should detail the measures taken to mitigate any risk, after consultation with a data protection regulator. DPIA’s are likely to become much more common and should prove to be a very useful tool for businesses in addressing risks, including data processing, data storage and data security in consideration of risks presented such as accidental or unlawful destruction.
What should I do now? Don’t leave it any longer to start to implement the processes to become GDPR compliant. It is recommended that you start to address the following ten top compliance issues as soon as possible: