It seems as though the UK has been waiting for the General Data Protection Regulation deadline for a while. Now, 25 May has arrived and passed. Are you taking a huge sigh of relief or will you be taking a deep breath in anticipation of what GDPR could present? Mark Harper of HSM explains how you can remain compliant whether you’ve already prepared or not.
The time has come for GDPR to change the way we handle our data. Of the 5.7 million private sector businesses across the UK, some will take a huge sigh of relief as they feel confident in their preparations while some are likely to take a deep breath as they plunder into uncertainty.
Whether awareness, and thus preparation, has failed or not, we are about to see whether businesses across the UK are equipped to tackle GDPR.
Concerning figures released in April 2018 highlighted that only 5% of organisations are fully prepared for GPDR. The businesses yet to have taken notice of GDPR may suddenly be caught in the headlights – potentially resulting in heavy fines and more.
However, it’s not only the fines that are a present danger. A recent survey conducted on UK SME’s found that over half consider a damage to reputation as their biggest concern from GDPR.
Yet, despite the possible ramifications there’s no reason for concern. There are simple checks and modifications you can make to your data handling processes that can keep you compliant.
Simple changes go a long way
Acting responsibly will go a long way from 25 May onwards. Ensuring you have some kind of processes in place is half the battle.
Internal awareness and accountability is the first step. Training staff on GDPR guidelines helps to remove the possibility of data breaches through human error. Staff should understand that GDPR is now going to affect their daily routine at work and that they have someone or something, such as a guide, to refer to if they feel necessary.
There are simple policies that can be implemented quickly which can help in the fight to remain compliant around the handling and destruction of documents and data carriers which contain personal and sensitive data. Whether it be, paper based documents or digital devices such as hard drives.
Firstly, a shred-all policy is one of the most clear-cut ways to ensure you remain secure for GDPR. As soon as confidential documents are no longer necessary you should look to shred them there and then. Shredding all documents at the source renders them useless at the point of use. Think, if you bin it, then you should be shredding it.
Advice also leans towards the mantra of shred little and often. Shredding documents as soon as they are no longer required is another effective way of removing any risks left by confidential documents. By following this mantra, you can save time that would have been spent in onerous long periods of shredding, where waste documents build up into huge piles that people are reluctant to shred in one go.
Moving towards regularly shredding in small quantities also helps in maintaining a clear desk policy. This not only makes your office look smarter, but also keeps confidential documents away from unauthorised casual viewing or the possible removal by staff and visitors.
What’s more, the most secure way (according to the DIN 66399 standard) to remain data compliant is to have onsite shredders dispersed around the office so that they are easily accessible to all. This way, you’re removing the possibility of paper waste finding its way into a paper bin, and neither having the risk of important documents hanging around or third parties handling them.
Turn these policies into routine and this part of your compliance should no longer be a question.
Shaping the future of data handling
If you’re looking to do the right thing and follow some of the aforementioned policies you may need to make some small changes in regards to your current shredding solutions.
However, there are some important factors to consider. Although shredding is one of the key solutions for GDPR, you still need to ensure you’re shredding suitably.
Whilst some may still be opting for the seemingly convenient off-site shredding services, this isn’t necessarily the best action to take. Concerns over cost-effectiveness, and more importantly security, continue to linger over the external services on offer.
Retain control in-house by shredding internally. It’s safer and securer to ensure a company-wide awareness and furthermore, the processes mentioned earlier, are practiced.
Shredding all, little and often, are going to shape the future of data handling, something that everyone should be on board with.
Post GDPR – remaining compliant
There are likely to be some businesses that are caught out by GDPR. That much is inevitable.
Even if you’re doing the right thing and following compliance policies, it’s important to remember that awareness doesn’t stop on 25 May. Keep yourself and your employees updated on any external accounts of GDPR slip ups and adapt if necessary.
The main point to consider is that processes should be considered as routine and not something that is done periodically or neglected shortly after 25 May. Ensure you and your staff understand the processes that need to be or have already been put into place.
Think about those ancient HR records no longer in use containing personal information of ex-employees or private and confidential company accounts.
Act responsibly and act now, because whether you’re ready or not – GDPR is here.