How GDPR Scanning Can Help With Compliance?
UK Document Management provide a range of compliant GDPR scanning services which can help organisations transition to the new GDPR legislations. Once this legislation comes into force in May 2018 organisations will be under greater pressure to ensure they comply. Using our compliant GDPR scanning service will enable any company big or small to increase the efficiency of their GDPR compliance.
A key part of the GDPR legislation is the right of an individual to have access to, amend, and erase personal data a company holds relating to them. This means that any company who receive a request must deal with it within one month otherwise there is the risk of infringement. Using our GDPR scanning service will allow most of these requests to be dealt with within minutes. There would be no need to physically check archived storage boxes to find every single folder and every single file relating to a particular person.
How GDPR Scanning Can Help With Data Security?
Data stored in paper form is likely going to be more difficult to secure and restrict access to. Paper based systems usually rely on documents being returned to where they came from. All it takes for a major personal data breach to occur is someone misplacing or losing a file. In comparison electronic data from our GDPR scanning service can be stored centrally on a single server. This allows for restricted levels of access and for full audit trails to be setup.
Security of personal data is also a major part of the GDPR legislation, businesses must ensure appropriate security measures are in place. All of our compliant GDPR scanning services are undertaken at our secure facility where CCTV and other security measures are in place. We treat all personal data with the upmost care and at all stages ensure that it is accessible by only personnel who absolutely need to. Our use of industry standard 256 bit AES encryption ensures maximum security of personal data.
What Is GDPR?
GDPR is short for The General Data Protection Regulation and is a new set of data protection regulations being introduced across the EU starting 25th May 2018.
The aim is to standardise data protection legislation across the EU, in the UK GDPR will replace the UK Data Protection Act (DPA) (1998). The UK Government has already confirmed that Brexit will not affect the introduction of the new GDPR legislation.
Many of principles of the UK DPA (1998) will make up the GDPR legislation, however GDPR is much more wide reaching. Individuals will have much greater control over the personal data held and used by companies. There are also new powers which will allow for significant fines for non-compliance.
Who Does GDPR Apply To?
GDPR will apply to any business that collects or stores data of any individual residing in the EU. This means that even companies not based in the EU will have to comply if they wish to legally provide products or services to individuals in the EU.
GDPR will cover both “Data Controllers” and “Data Processors” at companies of all sizes in any industry. A “Data Controller” is responsible for how and why personal data needs to be processed. Whereas a “Data Processor” is responsible for the management and processing of the data.
Most companies will be classed as both controllers and processors under the GDPR regulations. However if an external company is used to process customer data then potentially the controller and processor will be different companies. Under GDPR even if you a company is just the controller it is obliged to ensure any contracts with the data processor comply with GDPR.
When Does GDPR Come Into Force?
From 25th May 2018 GDPR will come into force.
This follows a 2 year transition period that started in April 2016 when GDPR actually became law. The reason for the 2 year transition period was to give companies the time needed to make significant changes to be able to comply.
Due to the transition period it is highly unlikely any further extensions or grace periods will be given after May 2018.
What Are The Requirements Of GDPR?
Article 5 of the GDPR legislation sets out a number of key principles.
• Companies must process data relating to an individual lawfully and in a fair and transparent manner.
• The data must be collected and processed for a specified, explicit and legitimate purpose.
• The data must be adequate, relevant and limited to what is needed for the purpose the data is being processed.
• Companies must ensure the data is accurate and kept up to date. Every reasonable step must be taken to ensure inaccurate data is corrected or erased without delay.
• Data should only be kept as long as required for the purpose the data was processed.
• Any data should be processed in a way to ensure security, integrity and confidentiality of personal data is maintained.
Article 5 also requires a “Data Controller” to be able to demonstrate compliance with these principles.
What Is “personal Data”?
In the GDPR legislation personal data has a broad definition “Any data that relates to an identified or identifiable individual.” Obvious personal data such as Name, address, age, gender, contact details, etc are all covered.
The broad scope of the GDPR regulations means that even more data types are covered, such as:
• Employee information.
• Customer lists
• Customer service and feedback data
• Online identifiers such as IP addresses
• Location data
• Biometric data
• CCTV footage
• Financial information
Article 9 of GDPR refers to “special categories of personal data” which have even more strict rules relating to collection and processing. These special categories include things like health / medical information, race / ethnic origin and sexual orientation.
What Are The Consequences Of Non-Compliance?
Under the GDPR legislation there are provisions for significantly increased fines for company’s found to be non-compliant. From 25th May 2018 onwards the upper limit for fines will be 20 million Euros or 4% of annual global turnover, whichever is larger. As a comparison the UK DPA 1998 allows for fines up to £500,000.
As well as fines GDPR gives provisions for individuals to bring civil litigation against companies for GDPR breaches and infringements.