Does your business manage sensitive personal data? If so, you will need to get ready for GDPR and the changes this will bring to your business.
Firstly, what is GDPR and what is all the hype about?
GDPR is the acronym for General Data Protection Regulation and it is a comprehensive reform of data protection that will come into effect across Ireland and the EU on the 25th May 2018. The previous Personal Data Act will be replaced by GDPR. It is important for all businesses that deal with personal information to be aware that GDPR will affect them. The incoming GDPR will include extensive data security, reporting requirements and, for companies who fail to comply, increased financial penalties.
For businesses who do manage sensitive personal data, GDPR outlines that they must be transparent about how they collect data, what they do with this information, and the way in which this information is processed, must be explained in clear terms. People will also have the right to ask for access to their data that is stored on file and a response must be received within one month. Additionally, a customer has the right to have their information rectified at any point if this is incorrect.
The most important thing for businesses to be aware of, is that penalties can be imposed should a data breach occur. If a data breach is suffered, businesses have a responsibility to tell those affected and the Data Inspection Board within a 72-hour deadline. If businesses fail to adhere to this deadline, the Data Protection Association can impose a penalty of 2% of the business’s annual revenue or up to €10 million, whichever is higher. Additionally, if a company fails to comply to basic principles, a penalty of 4% of turnover or €20 million, whichever is higher can be imposed. However, the regulation does stipulate that the fine must be proportionate to the level of the breach.
So how can you prepare your business in advance of the GDPR deadline and ensure your protecting consumers data correctly? There are a number of things you can do in advance to prepare your business for when these regulations come into force.
5 Top Tips to prepare for General Data Protection Regulation (GDPR
1. Act now. Learn about GDPR and understand how it will affect you and your business.
The purpose of GDPR is to change the way personal data is collected and stored to better protect individual’s details. Personal data includes: Name, address, mobile phone number, email address, bank account and credit card details, Driving License or Passport number. Further information including IP addresses as well as economic, cultural or mental health information will all be considered as personal identifiable information. Any document that can identify a person falls under GDPR
2. Raise awareness by spreading the word.
Make sure your employees understand the importance of protecting data. It is imperative that each of your employees are fully aware of the implications of GDPR for your business and are confident in new processes that are put in place. You will have to update your policy and procedures to show customer’s how and why you are collecting their personal information. You will also be required to indicate where you are storing the information and for how long.
3. Appoint a Data Protection Officer or Data Controller.
If you are a public company you will be required to appoint a Data Protection Officer (DPO) within your company. This person will be an expert in Data Protection and will be responsible for ensuring the company abides by the new regulations. There are external training courses available should you need help in this area. Most private companies do not have to appoint a DPO, however they should have Data Controllers in place in charge of data protection within the company.
4. How long are you currently holding data?
As customers will be informed how long you are holding their data, you need to explain why. How long do you need to hold data and what is the max amount of time that this information is required? You will need to align clear parameters within the business and across all departments on where and how this information is stored and ensure all employees adhere to this structure. It is your responsibility to guarantee that all information on file is stored securely, whether this is a hard or soft copy, in the cloud or within a secure storage facility. You will also require access to this information within the space of one month should a customer request this.
4.1 Contracts with all sub-contractor
Who has access to your customer data through servers? IT company, contracted book-keeper? Every contractor that has access or can remotely log into your PC must have a data protection contract in place with your firm.
5. Storage solution for paper files.
The secure storage of hard copy personal data can be a concern for some employers. While filing cabinets can be locked and offices can improve security through alarms, these facilities are not monitored 24 hours a day and thus, can be at risk to a breach of personal information.
Offsite storage solutions are not as costly as you think; secure storage systems on site can be costly and take up valuable office space.
External storage facilities, such as Elephant Self Storage, can be considered as a viable, cost effective solution to GDPR and securing your customers personal information. Elephant Self Storage offer specialised storage solutions for GDPR files and offer a 24/7 secure and monitored facility.
With over 800 own key private storerooms, unique access code, free access to your files during our opening hours. Use your own boxes and Elephant will collect them for FREE or Elephant Storage will drop special designed sturdy boxes to your door, you fill them, Elephant collect for FREE and store your file boxes within your own key storeroom. Prices start at €1.27 per month per box, no additional charges for access your boxes.
This is a business solution for companies of all sizes, and we can tailor package to meet your requirements.