Does your business manage sensitive personal data? If so, you will need to get ready for GDPR and the changes this will bring to your business.
Firstly, what is GDPR and what is all the hype about? GDPR is the acronym for General Data Protection Regulation and it is a comprehensive reform of data protection that will come into effect across Ireland and the EU on the 25th May 2018. The previous Personal Data Act will be replaced by GDPR. It is important for all businesses that deal with personal information to be aware that GDPR will affect them. The incoming GDPR will include extensive data security, reporting requirements and, for companies who fail to comply, increased financial penalties.
For businesses who do manage sensitive personal data, GDPR outlines that they must be transparent about how they collect data, what they do with this information, and the way in which this information is processed must be explained in clear terms. People will also have the right to ask for access to their data that is stored on file and a response must be received within one month. Additionally, a customer has the right to have their information rectified at any point if this is incorrect.
The reason GDPR has been introduced is primarily three-fold. GDPR, once implemented, will streamline data protection across the EU, making the management of data simpler for many businesses, in legal terms. Secondly, the act will give people more control over their personal data and what businesses can do with this information. Thirdly, and most importantly, previous data protection legislation across EU countries were enacted prior to the use of the internet and cloud technology, resulting in a mismanagement of data since the dawn of the internet and internet businesses. GDPR seeks to address all of these issues by ensuring clear parameters are in place for the public and the management of personal information.
The most important thing for businesses to be aware of, is that penalties can be imposed should a data breach occur. If a data breach is suffered, businesses have a responsibility to tell those affected and the Data Inspection Board within a 72-hour deadline. If businesses fail to adhere to this deadline, the Data Protection Association can impose a penalty of 2% of the business’s annual revenue or up to €10 million, whichever is higher. Additionally, if a company fails to comply to basic principles, a penalty of 4% of turnover or €20 million, whichever is higher can be imposed. However, the regulation does stipulate that the fine must be proportionate to the level of the breach.
So how can you prepare your business in advance of the GDPR deadline and ensure your protecting consumers’ data correctly? There are a number of things you can do in advance to prepare your business for when these regulations come into force.
5 Top Tips to prepare for General Data Protection Regulation (GDPR)
- Act now. Learn about GDPR and understand how it will affect you and your business.
The purpose of GDPR is to change the way personal data is collected and stored to better protect individual’s details. Personal data includes: Name, address, mobile phone number, email address, bank account and credit card details, Driving License or Passport number. Further information including IP addresses as well as economic, cultural or mental health information will all be considered as personal identifiable information. Any document that can identify a person falls under GDPR.
- Raise awareness by spreading the word.
Make sure your employees understand the importance of protecting data. It is imperative that each of your employees is fully aware of the implications of GDPR for your business and is confident in new processes that are put in place. You will have to update your policy and procedures to show customers how and why you are collecting their personal information. You will also be required to indicate where you are storing the information and for how long.
- Appoint a Data Protection Officer or Data Controller.
If you are a public company you will be required to appoint a Data Protection Officer (DPO) within your company. This person will be an expert in Data Protection and will be responsible for ensuring the company abides by the new regulations. There are external training courses available should you need help in this area. Most private companies do not have to appoint a DPO, however, they should have Data Controllers in place in charge of data protection within the company.
- How long are you currently holding data?
As customers will be informed how long you are holding their data, you need to explain why. How long do you need to hold data and what is the maximum amount of time that this information is required? You will need to align clear parameters within the business and across all departments on where and how this information is stored and ensure all employees adhere to this structure. It is your responsibility to guarantee that all information on file is stored securely, whether this is a hard or soft copy, in the cloud or within a secure storage facility. You will also require access to this information within the space of one month should a customer request this.
4.1 Contracts with all sub-contractor
Who has access to your customer data through servers? IT company, contracted book-keeper? Every contractor that has access or can remotely log into your PC must have a data protection contract in place with your firm.
- Storage solution for paper files.
The secure storage of hard copy personal data can be a concern for some employers. While filing cabinets can be locked and offices can improve security through alarms, these facilities are not monitored 24 hours a day and thus, can be at risk to a breach of personal information.
External storage facilities, such as Elephant Self Storage, can be considered as a viable, cost-effective solution to GDPR and securing your customers’ personal information. Elephant Self Storage offer specialised storage solutions for GDPR files and offer a 24/7 secure and monitored facility.
With over 800 own-key private storerooms, unique access codes, swipe card access network and temperature-controlled rooms, hard copy files will be easily accessible and secure. All storage items are free to access during opening hours. The facility also offers shredding services should this be required upon removing a customer’s personal data.
For more details and to view the range of storage units at
Elephant Self Storage, check out www.elephant.ie or find us on facebook
To take a virtual tour of the Elephant Self Storage facilities, follow this link: