Businesses across Europe are aware that the GDPR is coming closer and closer to replacing the Data Protection Act 1998 (DPA) and will come into effect as of 25th May 2018. In many instances, the new regulation is similar to its predecessor and regulates the processing and holding of personal information, however, there are still major differences to keep in mind which will have a real impact on your business.
What Is Classified As Personal Data?
The DPS defines personal data differently from the GDPR, the focus will be more on modern, connected times and will even include personal information such as users IP addresses. Other personal data includes:
- Economic information
- Cultural details
- Mental health information
- Pseudonymised data, this means social media usernames and online personas, assuming it can easily be identified
If a person can be identified from the above information you have, e.g. name, telephone number, address or IP address, then it will be classed as personal data under the General Data Protection Regulation
Demonstrating GDPR Compliance
The new regulation has put emphasis the consumer having the right to be forgotten, which means businesses in Europe will need to respond to any requests to delete their personal information. This will include any digital trace of it but also hard copies, which can be much more difficult to sort out. If your business doesn’t have a policy about its paper filing, this would be more difficult, more so if your employees have access to the files as well, to make copies. This means many businesses don’t have a team who oversees what information is stored where and in some cases the information can be difficult to locate.
All businesses will need to implement a clear filing and identification system for all paper records, including tags and metadata marked on the file boxes with very clear defined access rights and accountability.
Even when creating a defined process for managing information from the creation to the secure destruction, this might not be enough for your business. Hard copies can easily slip through the cracks of strict information classifications and storage policies by copying, printing or leaving paperwork around. A way to get around this is for businesses to complement the management of their information and processes with regular employee training and clear communication which shows your staff how to manage information securely and support the business. Every employee should understand the difference between private and confidential data and how it needs to be handled.
Breach Notification Procedures
New rules will be applied under the GDPR about the breach notification, a notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. You will need to have an internal breach reporting procedure set in place, this will facilitate decision-making about whether you will need to notify the relevant supervisory authority or public. It’s vital to have a robust breach detection, investigation and internal reporting procedures in place.
Stay GDPR Compliant & Keep Printing
If you want your business’ operations and printing process to continue and to be compliant, you’ll need to ensure you have a robust strategy in place.
- Start by protecting sensitive information you may hold in a digital format, and prevent any access to it by unauthorised individual or those who don’t need to see it for legitimate business purposes
- Ensure sensitive data from being printed, either on purpose or inadvertently by those who may or may not have access to it
- Detect any breaches as quickly as possible and easily, if they take place despite best efforts
- Have your process documented in place to showcase compliance and accountability for all the points above
Most companies have already implement network security to prevent intruders gaining access to data and information which is a great place to start, however, network security isn’t’ the only way to prevent data being breaches from the inside and will not protect in-house printing of sensitive information.
Many companies already put in place network security to stop intruders accessing data and information and this is a great starting point. Unfortunately, network security alone doesn’t prevent data being breached from the inside and doesn’t protect in-house printing of sensitive data. So how do you stop this from happening?
How To Prevent Unnecessary Documents Being Printed
In order to prevent unauthorised people from accessing your data, a card-based printing system helps show transparency and accountability. However, this alone isn’t enough to protect your business under GDPR. In most cases, the cause of data breaches is the inadvertent or accidental sharing of data printed on paper which has been proven difficult to prevent.
Other things like security stamps could be added when sensitive data is detected in a document, or alternative workflows could be triggered to be able to send the document to a secure location for it to be reviewed before permission is granted to release the scanned file, copy or print it.
There are more ways to prevent any unnecessary documents being printed, you need to look into which one is the best for your organisation. Even though the GDPR doesn’t seem like it’s close to its deadline, it’s vital to start considering business operations and sort out the current processes you have in place that could cause a risk. It’s not advised to leave everything until last minute.
Disclaimer: This material is provided for your general information and is not intended to provide legal advice. To understand the full impact of the GDPR on any of your data processing activities please consult with an independent legal and/or privacy professional.