It’s close to crunch time, which means that GDPR has got everyone a bit hot under the collar. Even more so now that we’re down to a double digit countdown to implementation day. But there are so many articles and papers flying around that there has started to be some conflicting information out there, to the point that we now have ‘GDPR myths’, despite the regulation not even being in force yet. So today, we wanted to clear a few things up – looking at 4 GDPR myths and the truths behind them.
Under the Data Protection Regulation, businesses are required to disclose data breaches to anyone who’s data may have been compromised, In that sense, not a lot will change with GDPR. The new regulation still makes it mandatory to report a personal data breach if it’s likely to risk people’s rights and freedoms. To clear that up, the Information Commissioner’s Office (ICO) provided a paper that identified high risk ramifications to data breach, including discrimination, damage to reputation, financial loss and other significant economic issues. Mandatory reporting helps catch these things early, and put measures in place to prevent the damage.
Following on from mandatory reporting of data breaches., GDPR also sets out a timeline for when that reporting needs to happen. In order to be compliant, businesses need to notify the ICO that a personal data breach has taken place within 72 hours of discovering it. This does not mean within 72 hours of the data breach happening – but rather 72 hours from the moment of discovery. So if a day breach happened 3 months ago, but you only just discovered it at this moment, you would have 72 hours from now to report it. The ICO doesn’t expect all of the exact details right away either – they understand that you might not have all of the information in place, but they want to know the scope of the breach, the cause, and your mitigation plan.
GDPR also instigates a new type of fine for breach of its regulation – and its pretty heavy. Under GDPR, the ICO will have the power to issue fines for breaches, including failing to notify, and failing to notify on time. These fines can vary in scale, but climb as high as 4% of the company’s global annual revenue, or 20 million Euros – whichever is higher. But the regulation isn’t just about issuing huge fines. In fact, fines can be avoided if businesses take a transparent approach and comply with regulations.
One of the bigger elements to GDPR is the ‘right to be forgotten’. With this in mind, businesses should no longer be keeping personal information any longer than necessary – and must delete or remove the data at the owners request. This means that businesses need to have an information destruction process in place and know how to follow it. The best procedures are ones that are simple to follow – which means you need an easy way to dispose of both digital and physical data. If you’re not sure how to do that – just ask your local shredding consultant.
There’s no doubt about it – even if you’ve never thought about it before, now is the time to take action. Every business handling EU data needs to be looking at its own processes, and taking steps to protect their business from the inside out. To learn more about how Hungry Shredder can protect your documents and hard drives, even under the watchful eye of GDPR, just get in touch with us today for your free consultation and quote.