New data security laws are coming – are you ready?

At some point we are going to see signs of panic. But not yet, apparently. The biggest change in data security for a generation is almost upon us and the bulk of businesses are disconcertingly unaware.

A recent survey conducted by Ipsos for our company Shred-it examined UK companies’ readiness for the European Union’s forthcoming General Data Protection Regulation or GDPR. The results were worse than we had anticipated.

Eighty-four per cent of UK small-business owners and 43 per cent of senior executives at large companies are unaware of the GDPR.

The numbers who knew the penalties for breaching the regulations were worryingly low. Only 14 per cent of small businesses and 31 per cent of executives at larger companies understand that the penalties can reach up to €20 million or 4 per cent of global turnover.

The GDPR comes into force across the EU in May 2018. In a nutshell, vast swathes of UK companies are approaching this date unprepared and the implications if they don’t act soon are significant. Ignorance of the law, as they say in legal circles, is no defence.

WHAT THE RULES DEMAND

The GDPR imposes enhanced obligations around data management for companies of all sizes. For example, when being asked for their consent, individuals will be required to be given a far more detailed understanding of how their data will actually be used. If they want data destroyed through the right to erasure, this may be requested and must be executed without fail. A data protection officer may need to be appointed and data breaches must be reported to the regulator, the Information Commissioner’s Office, within 72 hours. No buying time to spin the story as delaying could risk increased penalties.

The message is clear. Every organisation should look to develop a comprehensive data security strategy. However, one area of disconnect in particular stands out. Where electronic data is concerned, most companies already have a strategy with developed protocols, passwords, access controls and other security measures. The gap is often in the treatment of physical data for disposal. Letters, financial records, reports and other printed confidential materials are often treated as low risk or worse considered as waste rather than as a security concern. Documents are either intentionally or accidentally sent for recycling, or simply dumped in the bin, with no thought of their destination or who may access that information once in process.

Under the GDPR, the risk from this oversight is heightened. Personal data in any format, electronic or physical, falls under the regulations. Printed confidential data must therefore be considered integral in forming the security strategy, treated with equal concern as that afforded to digital data.

Use of small office shredders is often a chosen solution for some organisations. While this may meet the intended security protocol, it is often limited by the time employees have available or simple elements, such as paper clips, plastics or laminates that are problematic for the machine, and all too often users resort to recycling or waste disposal. In effect, a paper clip can break the security system.

This means that even when companies try to comply in-house with the GDPR they may struggle.

HOW TO REACT

The solution is to seek the advice of a dedicated specialist. This is the domain of Shred-it. We are the UK and global leader in document destruction. In the UK we serve 35,000 customers from 18 service centres, destroying more than 5,000 tonnes of confidential paper on average each month.

Last year our certified information security professionals carried out 5,000 workplace data security risk assessments in the UK alone, helping organisations of all sizes understand their security risk.

We bring three unrivalled qualities to the job. Firstly, we will develop a bespoke solution that will review current process and recommend any areas of improvement in the capture and secure handling of confidential information for disposal. Secondly, we help you build a secure process for destroying physical documents and data within the GDPR’s fundamental spirit of “privacy by design”. Thirdly, we bring a raft of service options. Our destruction services may be conducted at your premises or off site at one of our service centres, on a regular basis or on demand, depending on your needs.

Shred-it can also assist in electronic media destruction ensuring hard drives are physically destroyed from redundant computers, servers and flash drives, rendering data unrecoverable.

Shred-it’s international profile sees our reach extend across 21 nations helping more than 400,000 businesses worldwide achieve the highest level of rigour in their security policy. Multinationals know they can use Shred-it and get the same gold standard of service, in keeping with security policies across multiple markets.

The result of partnering with Shred-it is that companies can give confidence to investors, customers, commercial partners and regulators that they have a fully rounded, auditable, strategic security process around the destruction of all forms of personal and confidential data. This is no small thing. Data breaches have cost companies a fortune in the recent past. Aside from penalties incurred, the reputational damage to the company can be severe.

COST OF FAILURE

Inaction may mean violating the GDPR. That exposes organisations to the risk of reputational damage and financial penalties. We can also expect customers to ask their suppliers for guarantees around the protection of shared data, including the handling of printed data. If suppliers cannot provide those guarantees then customers are likely to consider other options.

Conclusion? Before May next year, companies will need to review current processes and conduct in-depth audits and risk assessments in light of the new regulations. An industry specialist can help with this. Legal advice should also be taken. In addition, training staff will be essential.

Above all, companies need to know and prove that all confidential information, regardless of format, is effectively secured.

As the rules get tighter, the importance of working with a specialist will only grow.

To find out more please visit shredit.co.uk/gdpr