General Data Protection Regulation (GDPR)
What Is the GDPR?
The General Data Protection Regulation (GDPR) replaces the Data Protection Directive of 1995, which came into play barely four years after the advent of the internet, back when massive, online data breaches were not possible. The purpose of the GDPR is to act as the new, overarching legislation regarding the way companies around the world manage and protect personal data belonging to citizens of the European Union. It is a much-needed update to privacy legislation –one that takes into account the shape of society in a connected world.
Complying with GDPR is about more than just avoiding fines. Keeping the goodwill of clients and partners is key to the competitiveness of a business. However, organizations that are impacted by a breach can be fined up to 20 Million Euros or 4% of annual revenue.
More Than Just Online
While most of the factors that affect GDPR compliance are related to online activities, there is an important offline component that businesses need to account for: the necessity to diligently destroy hard drives and schedule document shredding. If left to your staff, these two activities can create considerable risk for your business.
Impact of the GDPR on Your Business
To answer this question accurately for your organization and understand the specific processes and implementations that you need to carry out, you will need to conduct a Data Protection Impact Assessment (DPIA). This assessment will let you evaluate areas where your business is at risk of noncompliance, so you can remediate them. However, read on an find out about three key topics that apply to all businesses, and can help you grasp the scope of the GDPR:
- What personal data is?
- How long you can keep personal data?
- What to do in case of a data breach?
What Entails Personal Data Under the GDPR?
Any information that can on its own be used to identify a living individual is personal data. If the information on its own can’t identify the person, but in conjunction with other pieces of information it can do so, then it is also considered personal data. Additionally, if personal data has been processed –for example, encrypted– but this processing is potentially reversible, it still falls within the scope of the GDPR.
For How Long Can Data Be Kept?
The answer is both simple and complex: get rid of it as soon as you don’t need it anymore, by scheduling hard drive shredding and document shredding. Understand the real need for the data you store and establish a process to destroy it or review it after a certain amount of time. Let this time not be shorter than the one specified by legal obligations to keep that data.
What Should I Do in Case of a Data Breach?
When the personal data you are responsible for is exposed, you have 72 hours to notify the corresponding authorities. If the breach poses considerable risk for the individuals whose data was exposed, you need to notify the affected individuals as well. Data breach reporting is key for compliance, whether you depend on in-house experts or third-party vendors.
PROSHRED® Security Is Your Trusted Shredding Partner
When the time comes to get rid of sensitive documents and old hard drives, you can depend on PROSHRED® Security. Our certified professional shredding services are fully compliant with current privacy regulations and are carried out at your convenience on your premises. The process is irreversible, and you can watch it as it unfolds inside the truck through a live camera feed. You will receive a certificate of destruction to prove that you have done your part.