With the GDPR legislation coming into effect as of Friday, May 25, 2018, Shred-it recommends that you follow these critical steps to ensure that you avoid non-compliance and the risk of receiving a hefty fine:
Prepare a robust information security policy and keep it up-to-date.
Under the GDPR legislation, authorities will have the right to ask to review your privacy policies and procedures at any time. These should include:
Categories of data and how long this data should be stored before being securely destroyed.
Methods of information destruction for both physical and digital documents.
How to keep an accurate record of what information has been destroyed.
Appoint a person or team to oversee data protection.
This person or team will be responsible for ensuring that all the policies put into place are consistently being followed. They will also be required to report on the success of all actions. In addition, a statement of compliance will be required for your organization's annual report (if applicable).
Introduce Privacy Impact Assessments (PIAs)
PIAs are a critical component of the GDPR legislation. They are essentially risk assessments that identify where an individual's data can be at risk throughout its processing. It's therefore important to implement these at the early stages of any project so that data protection is part of your thinking from the very beginning.
Develop a breach notification process
Some breaches are required to be reported within 72 hours. If a well-structured and understood notification process and response plan is in place, you will be able to act quickly to rectify any issue that may occur and and therefore limit the damage that may result.
Make it easy for staff to protect confidential data with helpful policies.
Consider implementing the following policies to help keep your information secure:
Clean Desk Policy: Ensure that all confidential information is securely locked away when employees are away from their desks.
Shred-it All Policy: Destroy any and all paper documents and take the guesswork out of deciding whether or not a document is confidential.
Train staff on data protection policies and key issues.
Take a top-down approach and have your leadership team explain to their employees the importance of the GDPR legislation. Remember to discuss how it will specifically impact their jobs and the steps that they can take in order to ensure that the company remains in compliance at all times.
Speak to a legal advisor
Considering the extensive consequences of non-compliance, we recommend you speak to a legal team that specializes in data protection legislation. This way, you will be able to fully understand the impact GDPR will have on your business.