The countdown has well and truly begun. With just 4 months left to go, businesses are all starting to feel the pressure to become GDPR compliant. The new regulations (which updates the Data Protection Act), and focuses mainly on how companies handle data. Everything from how it’s collected to how it’s destroyed will be changed from May this year. At Greenaway, we specialise in helping businesses with the last part of the process – the destruction part. And as part of that, we wanted to give you some friendly advice on how put processes in place to destroy your data in line with GDPR regulations.
Create Awareness Of New Rules
Creating awareness of the new rules coming into play will be key in ensuring they are followed correctly. Company wide training on the in’s and outs of the regulation requirements will help ensure your employees are following best practices, including how to destroy data. You should also take into account the risks of non-compliance, and the burden of personal responsibility outlines in GDPR.
Define All Data Processing Within Your Organisation
Take some time to define all the kinds of data processing your business does, across all areas, at any time. Every organisation will have different processes, but generally, most businesses will share a number of processes. Here are a few examples:
- Sharing information with 3rd parties
- BYOD (employees using their own laptops, USB’s, mobile phones etc)
- Destroying obsolete data
- Transmitting data files
Analyse & Assess All Data Processing
Once you have defined all of your data processing areas, you will need to analyse and assess them. To ensure compliance with GDPR, it’s key that data processing has been thoroughly assessed to eliminate risk. In order to assess data processing, you should engage in the following actions:
- Conduct an audit review on your organization’s destruction policy. Is it communicated effectively?
- Identify what types of data is being controlled or destroyed, There are many different types of data a business can hold that are deemed ‘personal, identifiable data’ by GDPR, including:
- Basic personal identification, including names, ages and addresses
- Web data, such as IP addresses
- Cookie data
- Health & genetic data
- Racial or ethnic data
- Political opinions
- Sexual orientation
- Identify who has access to what data (internal, 3rd parties, outsourced support?)
- Define how long you should keep your data for
- Do you have a schedule for destruction?
Secure Data Destruction
One of the biggest differences in the new GDPR compared to the existing Data Protection Act is the increased liability and fines for data breaches. There is likely to be a significant shift in focus towards preventative measures and auditing how and where your data is destroyed and stored. Here are a few tips to ensure secure, compliant data destruction:
- Create a standard policy and communicate it to employees. For example this could include a poster outlining your shred all and clear desk policies. This will reinforce awareness and reduce risk of human error when it comes to data breaches.
- Once no longer required, employees should safety dispose of documents or media in shredding receptacles (locked consoles, wheelie bins where there is no access to the documents once deposited).
- A 3rd party data destruction specialist and vetted staff will collect your documents and media and shred on-site for the shortest chain of custody.
- On-site shredding is the most secure method of data destruction and offers shredding at the highest security standard.
- At the end of the data destruction process, you should receive a Certificate of Destruction, for your duty of care and information to conform to the new GDPR regulations.
At Greenaway, we provide expert guidance, advice and services around secure destruction of data for your business. That could be anything from providing shredding consoles to providing on-site data destruction, so you know your data is always in safe hands. For more information, just get in touch with us today.