What exactly does it mean to be compliant with the European Union’s General Data Protection Regulation, which comes into force at the end of May this year, and how should businesses go about becoming so? As James Kelly outlines in detail for the readers of Risk UK, seeking professional help in disposing of confidential and business-sensitive data is a wise investment for any organisation.
As the deadline for compliance with the European Union’s General Data Protection Regulation (GDPR) looms large, companies and organisations across the UK should have been taking steps to ensure that they fall into line with the new procedures. A crucial part of this process focuses on procuring the right services to ensure that all data storage regimes adhere to the changes.
From May this year, organisations will not only have to prove that they’ve taken an audit of their data, but also that they’ve enacted the right measures to destroy any data that’s no longer relevant. Subsequent to 25 May, any company proven not to be in full compliance with the new rules enacted by Brussels is at risk of compromise and potentially hefty fines.
What, then, are the tangible risks? Top of the list will be a raft of financial penalties being issued by the Information Commissioner’s Office (ICO) or even the threat of prosecution. At present, the ICO can issue businesses displaying poor data management in breach of the Data Protection Act with fines of up to £500,000. The largest of these fines to date has been £400,000 issued to two separate companies, namely Keurboom Communications Ltd and the TalkTalk Telecom Group plc. In addition, there have been just shy of 20 prosecutions for criminal offences committed under the Data Protection Act.
In the last 12 months alone, in fact, over £4.1 million worth of fines have been issued to businesses for failure to comply with the Data Protection Act. Under the GDPR, the fines levied may be up to 4% of an organisation’s annual global turnover or 20 million Euros, whichever sum is the greater.
The other most common risk will be reputational damage leading to the potential for lost business. As customers are becoming increasingly more aware of and concerned about how businesses collect and use their personal information, so those same businesses run the risk of losing customer confidence in the brand where the customer feels that their privacy isn’t being protected or respected. A loss in customer confidence ultimately leads to financial losses.
One of the most vulnerable periods of the data processing cycle is that point at which data is no longer required and needs to be disposed of. If data isn’t adequately disposed of at the end of its lifecycle, it can fall into the wrong hands and be unlawfully processed.
Under the Data Protection Act 1998, everyone responsible for using data has to follow the data protection principles. These include ensuring that data is used fairly and lawfully for limited and specifically stated purposes and that it’s used in a way that’s adequate, relevant and not excessive. Data must be kept for no longer than is absolutely necessary, handled according to people’s data protection rights, kept safe and secure and not transferred outside of the European Economic Area without adequate protection measures being in place.
When it comes to information destruction, the seventh principle of the Data Protection Act stipulates that appropriate measures must be taken against accidental loss, destruction or damage to personal data and against unlawful processing of that data. When the GDPR comes into force, companies in both the private and public sectors will need to prove that data is securely erased in line with the new European Union guidelines and show that they’re fully accountable for monitoring, reviewing and assessing all relevant processing procedures.
Secure data destruction is the process of destroying confidential materials to the point at which they cannot be reconstituted. These materials can take many forms, including paper, computer hard drives and branded products. Crucially, all hold the potential to cause problems for businesses, employees or customers if they fall into the wrong hands.
How might companies mitigate potentially expensive and reputational hazards when it comes to disposing of data that’s no longer needed? Shredding confidential material is a costly and time-consuming process which, for some firms at least, means that in-house data shredding simply isn’t a viable option. This is certainly true for those operations handling vast amounts of data across a variety of sites. In these situations, outsourcing to a regulated information destruction organisation is the most practical alternative.
Highest possible standards
Engaging a company specialising in this service and harbouring a high-security shredding facility affords organisations the reassurance that data destruction is being correctly conducted. Registered data shredders have to comply with the highest industry standards which are regularly updated.
On that note, service providers must demonstrate that they’re certified to EN15713 – the European Standard for data destruction. EN15713 sets out the measures that organisations should take in order to maintain the security of confidential data and provides recommendations relating to the management and control of the collection, transportation and destruction of confidential material to ensure that such material is disposed of both safely and securely.
Whether confidential materials are shredded on-site or at a high-security shredding facility, businesses outsourcing their shredding to a professional service provider can be assured that the data will be completely destroyed. Additionally, the services provided by professional information destruction companies often extend far beyond the actual destruction of confidential material to include secure document storage, data security advice and guidance, office clearance and recycling.
The GDPR represents a great opportunity for information destruction companies. In the current climate there has been an increased demand for their specialist services from both new and existing customers, all of them asking about the GDPR and how information destruction can assist. Even with all of this help at hand, though, there’s still confusion around what it means to be fully GDPR compliant (and not just from the point of view of the customer, but also in terms of how it affects the industry as the holder of its own data).
Industry feedback from customers highlights varying levels of concern, from companies looking for accreditation through to others happy with a downloaded template data policy or standard Terms and Conditions and on again to those simply choosing to ignore the looming EU deadline.
From an industry standpoint there are three elements that could affect information destruction businesses: their own data responsibilities, their shredding services provided for the destruction of data as a data processor and marketing to opted-in clients (be they either existing or prospective).
These elements are all currently open to interpretation both by experts and customers. They’re most likely common across all industries, so it’s arguable that even with all of this information to hand, companies are still not fully aware of their obligations, no matter how robustly they’ve been laid out by the ISO.
Of course, some of these issues open up opportunities for companies dealing with data destruction to create new services, but they also highlight that, even at this late juncture, there’s still much work to be conducted in communicating what companies need to do in advance of what is a major data milestone.
Every business will collect and generate confidential information relating to its operations, its employees or its customers. When this information is no longer required, there can be severe consequences for the data subjects if the information isn’t correctly disposed of and falls into the wrong hands.
Therefore, any business that collects, holds, processes or disposes of a person’s personal information has a responsibility to ensure that it’s protected from loss or theft. In fact, since the Data Protection Act was passed into law in 1998, there has been a legal obligation for businesses to act responsibly in terms of how they use personal information.
The data protection landscape is all set to change in May when the GDPR comes into full effect and exerts potentially significant impacts on the ways in which UK businesses collect and process the personal data of individuals.
James Kelly is CEO of the British Security Industry Association