May 31, 2019
A year on from the introduction of the EU’s General Data Protection Regulation (GDPR), there are signs that UK businesses are confident that they are complying with the legislation. To gauge the current attitude of businesses towards GDPR, Shred-it commissioned an independent survey of 1,439 UK-based small and medium sized businesses. On the face of it the news is positive: 72% of respondents said that they are “very aware” of GDPR.
The biggest concern is whether or not the confidence in GDPR-readiness is justified. Only 45% of the firms who said they were ready to deal with data protection requirements also said that they had reviewed their data protection policies recently. Just over a third had emailed their customers to confirm consent to data use, less than a quarter had published a privacy notice, and just over two in ten had reviewed, deleted or destroyed personal data.
Under the surface then are question marks about whether or not companies are really ready, particularly when it comes to ‘back end’ issues around data management – such as developing a response plan in the incidence of a data breach – which will be critical if a case is taken to the Information Commissioner’s Office (ICO).
What companies may also be missing in light of this, is that GDPR doesn’t just relate to digital data. The provisions of GDPR are just as applicable when it comes to paper-based records as they are for digital ones.
When asked about the kind of support those who sought it had received, 44% cited issues around digital data and encryption – yet GDPR applies to all data, including paper records, a point many seem to miss.
As with digital data, companies should have strict internal procedures in place to deal with the protection of paper records of all descriptions. Inadequate long-term storage of paper documents, such as archives with unrestricted access, are a key point of vulnerability. Important documents containing personal information left on printers, desks and in waste paper baskets overnight are also a compliance risk.
Business leaders need to urgently reassess how they protect their organisations from potential security risks and data breaches not only digitally, but in traditional environments too. In the event of an investigation by the ICO, companies who aren’t proactively protecting their physical paper records will likely be treated less favourably than those who can show that they have made their best effort. They must ensure workforces are aware and ensure that employees have access to appropriate tools (e.g. secure consoles) to implement the policies.
Best practice in this case covers provision of locked confidential information consoles that are easily accessible, and company-wide policies that encourage a ‘clean desk’ at night. Organisations should also be arranging for the secure destruction of documents after prescribed periods of mandated storage, keeping only digital copies of essential files in an encrypted format.
There are other elements of GDPR that become more complex when paper-based records are taken into account. A data subject access request, through which a citizen can request copies of and correct any data an organisation holds about them, are a challenge. Again, digitisation and destruction of the paper originals will assist.
It’s good news that, one year from the implementation of GDPR, awareness of the law and its headline aspects is high, but companies shouldn’t be complacent in their quest to become fully compliant. Remember, the impact of any loss or misappropriation of sensitive data (a data breach), can be substantial, and will include but is not limited to: operational delays; investigation and remediation by an independent regulatory body (e.g. ICO); legal action; brand reputational damage; loss of consumer confidence and loss of revenue.