The GDPR and Everyday Breaches

In just 12 months’ time, the EU’s General Data Protection Regulation (GDPR) will come into effect, replacing the UK’s current Data Protection Act. These new regulations will have a significant impact on the way data is managed.

The consequences of failing to comply with the GDPR are significant, with fines of up to 4% of a company’s turnover, or €20,000,000 – whichever is larger. With the clock ticking, it has never been more important to ensure robust systems for data management are in place.

While a lot of focus has been placed on cyber-crimes, server hacks, and database vulnerabilities, everyday scenarios can see a company in breach of the GDPR. These everyday processes need to be properly identified and planned for as they pose serious risks if they are overlooked.

An organisation could find itself in breach of the new regulations anytime personal information is not tracked within an organisation and managed appropriately. For example, each time a company recruits for a new role, applicants’ CVs are received by HR. These CVs are then shared with the hiring manager. Unless using HR software, these CVs are often shared digitally via email, or hard copies will be made and distributed. At this point, there are two versions of each applicant’s CV in existence within the company. The CVs of shortlisted applicants may also be shared with additional employees on the recruitment panel. Now there are multiple copies of each of these CVs.

To comply with data protection regulations, data must be kept no longer than necessary for the purposes concerned. Following the recruitment process, all personal data about unsuccessful applicants must be deleted. Unless each of the copies of the distributed CVs is tracked within the organisation, and there are systems in place to ensure they are all destroyed when no longer needed, the company will immediately be in breach.

The same is true of other everyday scenarios where personal data is collected and stored. Visitor’s books, both electronic and paper, hold personal information such as names, car registrations, and contact numbers. If name badges are printed for a conference, it is necessary to understand where this data is stored, so it can be managed appropriately.

All personally identifiable information needs to be protected and managed. Without a proper system in place, tracking documents and data within an organisation is an impossible task.

Protective marking is a robust solution for safeguarding information. Documents are marked to indicate the levels of protection required when handling the information. This includes its sensitivity, security, storage, movement within and outside the organisation, and its ultimate method of disposal.

Documents could therefore be marked as only necessary to be kept for 3 months, for example. Once classified, it is then possible to search for documents with that classification so they can be deleted. Data management systems should incorporate a schedule for checking for marked documents that need to be deleted. Software, such as TITUS Classification Suite 4, makes it simple for organisations to classify and identify documents.

With the looming deadline of the GDPR, contact us to find out how to manage your data appropriately and avoid being in breach of the new regulations.