Is your company ready for GDPR?
On the 25th of May 2018, new laws on data protection will come into force in order to make it uniform throughout the EU. The GDPR (General Data Protection Regulation) applies to all companies and sets requirements for how companies collect, store and manage personal data and sensitive information. Is your company ready? Here are some tips on how to prepare for GDPR in the best possible way*.
What is GDPR?
GDPR is the EU's new data protection law, which governs how companies protect personal data about all EU citizens. GDPR replaces Data Protection Directive 95/94/EC (PUL) and will improve rights for the individual in terms of personal security and privacy. It will require total transparency for the individual about how companies use personal data.
The General Data Protection Regulation (GDPR) will apply to all businesses and organisations that save or handle personal and sensitive information about their employees or customers. Failure to meet the new requirements will be subject to fines of up to 4% of the company’s annual global turnover or €20 million (whichever is greater).
What is considered personal data?
Personal data is any information that can directly or indirectly identify a person. Personal data may be name, address details, e-mail address, social security number, image, IP address or mobile ID. According to GDPR, all processing of personal data should be legal, correct and readily available to the person whose information is being used.
What should I keep in mind as GDPR approaches?
Make a risk assessment plan and investigate how you store and process personal data today. Important questions to ask are: Where is personal data stored and processed? Is it on internal servers, on mobile devices, in the cloud, in emails or in apps? What data security is available today? Who has access to personal data?
- Map how personal data is collected, processed and stored. It might be good to make a flowchart to see how personal data is moved between different systems and if these systems meet GDPR's data management requirements.
- Check where you store any physical records containing personal information and eliminate the risk of printed documents ending up in the wrong hands. Because GDPR applies to all data, including paper copies, it's wise to invest in lockable storage such as document cabinets, burglar-proof filing cabinets or safes. These offer high security storage and make it easy to restrict access to confidential documents.
- Destroy paper copies of sensitive documents using document shredders. Cross-cut document shredders cut or shred the document into small confetti-like pieces and are recommended for destroying sensitive and confidential information that should no longer be stored.
- Develop clear procedures for how to act within the company if a personal data breach occurs.
- Be sure to always specify the purpose when your company collects personal information. It should be clear how the information is to be used; the data may not be used for any reason incompatible with this purpose.
- Update Company Terms and Privacy Policy about how personal data and sensitive information is handled. Ensure that the information is readily available to the person to whom it relates.
- Keep all employees informed of changes, new rules and plans regarding data protection and implementation of GDPR.