Since our last article on GDPR in March, all of the new regulations have been put in place and are now in full effect as of May. Despite this, some businesses have not taken the time to look into these new regulations and as a result are facing heavy fines reaching into the hundreds of thousands of pounds or even up to twenty million euros.
What Is GDPR?
The General Data Protection Regulation was put into effect on 25th May 2018 and was made as an extension of the updated 2018 Data Protection Act. It also replaces the 1995 Data Protection Directive. The GDPR has introduced a range of new regulations which have changed the ways in which a business can carry out marketing campaigns and how they can collect user data. These new regulations include:
What Actions Can Warrant Fines & How Much Can They Be?
Over the past few months, many companies have become subject to penalties under the GDPR. The maximum penalty for infractions against the GDPR can reach up to €20,000,000 or 4% of the business' annual turnover, whichever is greater. Although the maximum fine has not been given yet, many companies large and small have been receiving penalties.
Some of the fines that have been given are:
How Can You Protect Yourself?
It is highly advisable that you familiarise yourself and others in your business or organisation, with the new laws and legislations that are part of the GDPR and other data protection laws. By doing this you can begin to understand what you should avoid doing in order to keep your business operating within the lines of the law. You can also start to put in place measures that will prevent any breaches of data protection laws from happening inside your firm.
You may need to dedicate a member of staff or hire additional staff that can focus their efforts on ensuring that your business is compliant with the new data protection laws. Their responsibilities could include maintaining security both physical and digital to prevent any unauthorised/unlawful access to user data. Keeping up to date with user preferences whether they are only allowing certain means of contact or none at all, this must be put onto a file so that their privacy is respected. Another responsibility could be creating meetings that inform all staff of the GDPR regulations and the severity of the penalties that can be given if breaches are made.
We are assisting companies to help them ensure that their data is accurate, up to date and opted in, in accordance with the new data legislation. If you hold a database of customers it will need to be brought into line with this new legislation. If you would like to speak to us about the work we are currently doing with other businesses, then do get in touch us.
The General Data Protection Regulation is set to build on what is already in place in terms of the Data Protection Directive.
1. An increase in fines of up to £20,000,000.
2. Breaches must be reported within 72 hours
3. No charge for subject access requests, and the response time has been reduced to 28 days
4. Robust documentation will be needed within companies to explain how they process their data. Process mapping: what, where, who.
5. Where companies process a large amount of data, a data protection officer will be required.
What is a Breach?
A breach is described as an accidental or unlawful destruction, loss, altercation or unauthorised disclosure or access to data.
Examples of Breaches:
1. Unauthorised access by a third party
2. Deliberate action/inaction by controller
3. Sending data to an incorrect recipient
4. Computing devices lost or stolen
5. Alteration of data
6. Data availability (archive)
For more information on the Information Commissioners Office (ico.) data security breach trends:
All breaches need to be reported to the ICO within 72 hours, or for larger companies, your data protection officer in the first instance. This does not reduce the 72 hour window if a data protection officer is in place, so time must be allowed for this individual to process the information, and send to the ICO within this 72 hour time frame. You must report ALL data protection breaches.
Reduce the Risk
Reception area’s: What is on display?
Visitors to your offices:
· Challenge the purpose of the visit and ensure their access to company data is restricted to the purpose they are there.
· Ask all visitors to sign into the office and ask for professional identification.
· All team members should be empowered to challenge visitors.
· What is on display?
· Are confidential files such as personnel files in a locked cabinet.
· Operate a ‘clear desk policy’.
· Are offices locked when unattended.
Computer screens: Ensure your staff know the importance of locking computer screens when they leave their desks unattended.
· Ensure security and monitoring systems prevent information being sent to home email address.
· Implement a secure central access point or hyperlink that will reduce the need to duplicate documentation as attachments.
· Password protect documents to ensure security if sent to the wrong recipient.
· Remove any personal identifiable data that is not required.
Mobile technology devices:
· Ensure these are password protected and report any loss immediately.
· Ensure regular password changes, at least 6 weekly.
· Save confidential information on a secure shared location, and not on the device itself.
· Owners of mobile technology must ensure that when not on their person, they are locked away.
Electronic storage: Paper information poses the biggest risk in terms of data protection breaches. Cleanse your paper data and look at secure digital storage solutions.
· Is data available?
· Is there an adequate tracking system?
· Observe retention periods and securely destroy anything older.
Confidential waste: Are adequate shredding facilities available, or is confidential waste outsourced to a reputable external provider.
· Check that all equipment is access locked.
· Ensure there are no fax machines, or photocopiers with fax facility in public access areas.
· Reduce the data, if it cannot be accessed it is better to destroy it. Large amounts of stored paper form data that cannot be accessed will be considered a breach.
Training: Ensure key staff have access to Information Governance training.
Verbal transfer of data: Ensure there is a system or process in place to document conversations that data share, including those conducted by telephone or on conference facilities.
On this page you will find all of our informative mini-articles written by our expert telemarketers and other members of our team.