The General Data Protection Regulation (GDPR), due in May 2018, requires a stringent approach to the storage and management of data. Paul Moonan, MD of Restore Scan, warns that failure to prepare could be damaging and costly
A recent Insight report from the Association for Information and Image Management (AIIM) reveals some startling statistics. Its 193,000-strong community was asked: “In relation to the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, how would you describe your organisation’s level of readiness?”
AIIM found that just six per cent feel they are fully prepared for GDPR, while 25 per cent say they are still thinking about it and seven per cent have, basically, done nothing at all. That’s a whopping one-third of respondents, from a community that one would suppose was predisposed to being compliance savvy, who may not be ready for the new regulation when it starts being enforced in under 10 months’ time.
With storage space at a premium, the new regulation enforces the need to manage data in a much more sophisticated way. The good news is that many businesses and organisations fall within the 60 per cent band that have either started planning or are well underway with their projects. They know that the countdown has begun and will have deadlines and systems under constant, ongoing review, addressing the issue of whether to digitise, store or shred their documents and data.
Others, however, may be feeling mildly panicked at the prospect of adopting GDPR-compliant measures.
The EU’s General Data Protection Regulation replaces the Data Protection Act 1988 on 25 May next year, and is global in scope because any organisation of any size that does business with the EU will be required to comply, whether based in an EU member state, ex-member state or completely outside Europe.
Compliance implies consequences, and they could be eye-watering in scale. If you don’t make the grade because of poor systems support and an inability to deliver on request, or because of hackers or security breaches caused by human error, the regulators will have the power to impose fines of up to €20 million, or four per cent of global annual turnover, for that failure.
For comparison, a UK government report from a 2015 survey showed that 90 per cent of large organisations and 74 per cent of SMEs reported a security breach that year, resulting in around £1.4 billion in fines. You can multiply that figure many times over for GDPR infringement.
While this level of penalty sounds draconian, the new regulation takes one of its key cues from the ‘right to be forgotten’ and is designed to create more stringent protection for the individual in this information age. This means, for instance, that requests to the data controller at your company to know whether personal data is being used, where and for what purpose must be answered within 30 days, with a copy of all that personal data being provided back to the individual in electronic format. Requests to be deleted from your database must also be actioned with a full electronic audit trail.
Can you instantly locate all the emails and phone call recordings that relate to just one customer or employee? How do you account for communications made with customers on mobile devices and information that’s in transit – being moved from one office to another, maybe even one country to another? How do you keep tabs on your employees’ use of social media in day-to-day business or even on the use of personal information implicit in the simple exchange of business cards at a meeting or event?
Don’t forget to factor in all the paper records that are not digitised: how would you transmit those electronically, and without hugely labour-intensive effort, in response to a request? How does a business go about drawing all this data into one location and one accessible format – and replying within the legally required 30-day timeframe?
COMPLIANCE THROUGH COLLABORATION
Even for companies that have efficient customer relationship management (CRM) and enterprise resource planning (ERP) software managing many of their back-office systems, it is clear that, for the majority of businesses, the introduction of GDPR means they need to adopt a strategic approach – and fast. In order to adapt ways of collecting, handling, processing and archiving personal data, all areas of an organisation will need to agree on their ways of working and collaborate in locking down systems so that all know what they are doing and why.
Sound data protection has many commercial and governance benefits, which should be of interest to the board or senior management team at any organisation. Drawing together and gaining the buy-in of every department and team, assigning projects to relevant managers in areas such as HR, IT, marketing and sales, and employing an experienced and knowledgeable data protection officer (a necessity for public sector organisations) will help get the ball rolling.
Looking to adapt processes and working methods to create an edge, reduce costs or increase productivity should no longer be the preserve of forward-looking organisations. GDPR will make us all work leaner while protecting data more vigorously. One way forward is to work with a technology partner who is informed and already compliant as you prepare for the switch to the new regulation
With the GDPR deadline looming, it makes more sense than ever to adopt a paperless strategy. Scanning your documents gives you immediate and controlled access to the information you need and puts you in complete control. Searching is easy and security becomes locked down to only those people who need relevant access – a significant issue in GDPR. A complete audit trail comes as standard with retention periods being controlled from day one.
The security of paper documentation is crucial under the new data protection regulation. Steve Talbot, MD of IT Efficient and The ITAD Works part of Harrow Green, advises on how to ensure document storage is GDPR compliant
Most companies established prior to the early noughties (and especially those outside the tech industry) are paper based, housing reams of accounting and auditing files, sensitive HR documents, contracts and more in cupboards, filing cabinets and storerooms. It’s critical that FMs are aware that the incorrect storage, archiving and disposal of paper documents and analog media (such as VHS and audio tapes) will lead to hefty fines.
With space considerations at a premium, document storage has long been a balancing act of security and accessibility. As the new regulation comes into effect, that balancing act will become even more delicate. So what can FMs do to prepare ahead of the 2018 deadline and avoid penalties of up to €20 million?
GDPR will require organisations to correct inaccuracies, divulge what data is held about individuals and businesses, and erase information in a timely fashion, so it is crucial that they have quick access to documents – even those that are in ‘deep’ or long-term storage. All data must be stored in such a way that it can be identified and located easily.
WHO HAS ACCESS?
Data privacy is a key tenet of GDPR, and this is just as important for paper documents and analog media as it is for their digital counterparts. Physical assets can easily end up in the wrong hands, creating potentially serious data breaches. Consider who needs direct access to files internally, depending on the nature and sensitivity of the information, and plan how to manage their access through gatekeepers, levelled access and lockable storage.
The security of physical assets is at its most vulnerable when in transit, so it’s important to plan the secure transportation of files through trusted partners.
Irrespective of format, there are recommendations and, in some cases, statutory requirements in place for how long data, particularly sensitive information, can be stored in a business. Some documents, such as income tax records, must be kept for a minimum of six years, while employer’s liability policies must be kept for 40.
Are the retention periods of paper files currently logged and monitored in the business? If not, this needs to be addressed immediately with a schedule and inventory, as it will affect GDPR compliance.
Just as with digital information, where data wiping procedures need to be in place for technology with storage capabilities, paper document and other physical asset destruction needs to factor into an organisation’s information management schedule.
Finally, paper documents are highly susceptible to duplication. The greatest threat to even the most rigorous storage policy is human error and the mishandling of documents – folders lost on buses and sensitive documents left in printer trays. The second greatest threat is the photocopier. Unlogged duplication can completely undermine document control and expose an organisation to breaches and fines. Having a clear and well communicated document management system in place is crucial to avoiding this, and to staying GDPR compliant.