Jacqueline Hills is Senior Director Legal and Compliance at Office Depot EU
With the General Data Protection Regulation (GDPR) coming into force later this month, time is of the essence for businesses looking to ensure their handling of personal data hits the mark. Whilst many businesses are migrating towards methods of working which minimise the use of hard copy documents, some sectors, such as professional services, are still reliant on their use and need to ensure that data handling procedures are suitably adapted to meet with the requirements of the new legislation.
The GDPR is not restricted to the UK and is part of a Europe-wide initiative to streamline the ways in which businesses handle and store confidential information, and provide individuals with greater control over their personal data.
Particularly for professional services firms, for example those in the legal or accountancy industries, there has been a long tradition of using paper documents for contracts, instructions or correspondence. Much of the focus has to date been on electronic customer or employee data with the paperless business environment being proposed as one solution to GDPR compliance. Since the mid-seventies businesses have envisioned a paperless environment but this remains far from reality in 2018. Most organisations do not operate a paperless business environment and as such will need to ensure they are able to organise their paper documents as efficiently as their electronic formats.
Confidential data comes in many forms and can range from simple names and addresses, right through to medical records, employment files and payment details; the types of data stored by each organisation will vary. A first step for any business, particularly those which keep extensive hard copy records, will be to conduct a thorough data audit.
An audit of personal data is an essential task in almost every business, and finding out what types of data are stored, how it is stored and whether it is necessary to keep on file, will be invaluable. A key pillar of advice for all businesses looking to ensure that they are compliant under the new GDPR is to only keep data as long as it is needed. For instance, correspondence and contracts for old clients may no longer be needed and should be disposed of accordingly.
Investigations by the Information Commissioner are unlikely to be undertaken for every business. However, if a data breach is found to have occurred within an organisation, pressure will be applied for the involved parties to prove their compliance. If a serious leak of personal, sensitive information occurs, all businesses must be prepared to show the practical steps they have taken to put safeguards and measures in place to ensure the security of the personal data they have on file.
The fines for being found to be negligent under the new GDPR are severe, and have been increased since the old Data Protection Act 1997 was introduced. Companies found to be in breach of the legislation can be fined up to four per cent of global turnover or €20 million, whichever is highest. This is before the potential impacts of any reputational damage to the brand or organisation is taken into account.
Whilst penalties of this severity are certainly headline-grabbing, they serve a purpose in highlighting what can happen in a worst-case scenario, such as a large amount of sensitive information falling into the wrong hands. Many aspects of the GDPR are not new and for a large number of organisations, will already form part of existing company policies relating to the use and storage of personal data. For some however, particularly those professional services businesses which rely on hard copy documents, changes will need to be made.
There will be certain activities that demand particular attention under the new regulation – for example responding to subject access requests – and new approaches will need to be adopted. These could include ensuring documents are labelled and indexed accurately and held securely in lockable cabinets. Organisations may choose to scan relevant documents and apply access security measures to manage data security and processing. Organisations may opt for sending out information on CDs or memory sticks, secured with compliant encryption tools.
For those documents, however, which are still necessary for the day-to-day running of the business, enacting a culture change within the organisation is important. Whilst it is always a good idea to assign individual members of staff with responsibility for ensuring that sensitive data is handled and stored in the correct way, empowering employees in general to take a more proactive stance towards data security is a wise idea.
This can include encouraging employees to securely store documents in lockable filing cabinets or enforcing stringent clear desk policies where appropriate to minimise the risk of sensitive data falling into the wrong hands. Businesses should also consider supplying privacy screens which can be fitted to laptops, ensuring that third parties cannot view sensitive documents whilst they are being worked on. This can be particularly advantageous in environments where a large amount of work is undertaken outside the office.
Copies of documents are often overlooked so the way documents are disposed of is also important to consider. Many shredders, particularly those which use ribbon cutting, do pose a security risk. For a third party looking to steal data, the output from these types of machines can be pieced together again. Instead, choosing a shredder with cross-cut, or diamond-cut, drastically minimises that risk and makes it much more difficult for confidential information to be accessed.
The new GDPR is an evolution of current data protection legislation and will require businesses of all shapes and sizes to sit up and think more carefully about how they handle sensitive data. For some however, confining hard copy documents to the recycling bin simply isn’t an option. By assessing risks and mitigating against them where possible, business can carry on as usual without the threat of punitive penalties.