Welcome! This year is incredibly significant for professionals in a variety of industries, many of whom will be working hard on policies and processes to prepare for the biggest shake-up in the data protection laws for 20 years with the upcoming GDPR implementation on May 25th, 2018. In this article, we have compiled some general information regarding these regulations, as well as how it affects ourselves, our customers and competitors.
General Data Protection Regulation
Following the 1995 EU Data Protection Directive, the UK put together the Data Protection Act 1998, and since then we have been using this as our legislation. The reality is that no lawmaker in the late nineties could have predicted the direction in which technology would have evolved and disrupted the everyday systems that we have become so accustomed to.
Since the directive is now more than 20 years old, it was decided by the EU to form one international blanket legislation for EU member states that created a data harmony. As GDPR is a regulation and not a directive, the UK need not draft up new legislation; it is automatic.
More control, more regulation
GDPR itself places an important focus on data control and processing both within and outside the EU. It intends primarily to return control of personal data to citizens and residents, allowing them to have more say over what companies can do with it.
Past and present data regulations
Data Protection Directive, officially Directive 95/46/EC, is being replaced by General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 on the 25th May 2018. If you were affected by the DPD and had to create data policies for compliance, then you will simply have to write new policies to align with GDPR.
What does GDPR consider personal data?
The European Commission detailed a list of the most obvious examples of personal data when they stated: “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
James Rubin: “On a human level, GDPR has also introduced ‘digital rights’ for EU citizens, something highly in demand when personal data breaches are at an all time high. Our confidential information and identities are constantly growing with the rise of the digital economy, and with the maturation of the technical abilities of those who may wish to steal useful information for whatever purpose.”
How does it affect us and our competitors?
Businesses in the waste management and environmental services industries will need to pay very close attention to the destruction of physical data destruction like hard drives, as well as paper documentation and records. As we’ve discussed in previous articles, data erasure through shredding and a software called Blancco are the most efficient options. However, there remain many businesses who still opt to use magnets, screwdrivers, and incineration. GDPR also relates to paper documents, so we must be extra vigilant with the safe destruction of these too.
James Rubin: “There are so many businesses in the UK who outsource their data destruction activities to specialist 3rd party IT asset disposal firms, (we call these ITADs). If your core activities involve clearing waste, sorting, and then either recycling, reusing or disposing of it, you probably don’t want to deal with the added responsibility of finding hard drives in the waste piles. With GDPR, we will all have to pay more attention, especially if we wish to handle data destruction internally, which of course here at Enviro Waste we do.”
Do your data destruction methods comply already?
If you opt to destroy data externally, you must keep track of an absolutely solid proof of data destruction and a very clear audit trail, due to the proposed fines (which in some cases are double the existing figures). The reason for this added consideration is a tweak to who is held accountable for the data protection.
Under the DPD, the data controller, which is the business who outsources their data destruction, and not the ITAD, the one who destroys it, is accountable. With GDPR, both are held accountable, meaning their needs to be a more thorough approach to legislative compliance, as well as with creating transparent and unified policies between these businesses. Under the new system, both businesses must keep accurate logs of all data handled, processed and securely destroyed.
What do you need to do now?
- For UK businesses, the process for becoming compliant, and confident about this compliance, is to start at the top, in the boardroom. Businesses who process data, and ITADs who destroy it, must begin by cooperating on and documenting strong policies that create unanimity.
- Once these policies are confirmed, the education process begins, and that may mean a lot of meetings, email campaigns, putting physical literature on desks, training events and workshops. The data management process must be drilled in thoroughly.
- After education comes control and records. Who has access to private data, and who along the chain of events from usage, to flagging, to destruction, could potentially cause harm to the procedure? Where does the data end up? Are the hard drives really destroyed, and how will the evidence be tracked and recorded? Answering these questions will lead you to compliance.
- Regular assessment of the process is necessary to ensure there are no complacent behaviours or shortcuts being introduced to the data management and destruction lifecycle. The penalties have been raised, and so must the standards of all those involved.
James Rubin: “Helping our customers become compliant with GDPR is top of our agenda in 2018. We’ve heard some horrendous data scares and nightmare stories over the years, and with these changes, it’s even more pivotal that people and businesses take data management security more seriously.”