The Europe-wide General Data Protection Regulation (GDPR) came into effect in the UK on 25 May 2018. GDPR covers the capture, control and consent to use of personal information. It applies to any company operating in Europe, even if headquartered elsewhere. GDPR recognises how the internet has changed the quantity and security of personal data. It introduces new rights for consumers. Further, it sets new obligations for businesses in a more inter-connected age. We thought we’d remind you why GDPR is quite so important to your organisation. And, of course, how CAS can help you to stay GDPR-compliant.
GDPR: what you need to know
Some key elements of GDPR include:
- Personal and sensitive personal data: the GDPR’s definition of personal data is upgraded to include online identifiers (e.g. an IP address) for data subjects – i.e. the individuals whose data it is. Sensitive personal data currently covers demographic data (e.g. age, ethnicity) but is extended in the GDPR to include biometric data. For most organisations, these enhanced definitions are likely to make little practical difference, though bear in mind that this applies both to automated personal data and manual filing systems.
- Data processing: under the GDPR, organisations must guarantee that data shall be processed lawfully, fairly and in a transparent manner, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Privacy by design: under Article 25 of the GDPR, data protection must be designed into business processes, and privacy settings must by default be set at a high level.
- Data Protection Impact Assessments: these have to be conducted when specific risks occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required, and prior approval of the data protection authorities for high risks. All organisations handling personal data will need a named Data Protection Officer to ensure compliance.
- Capturing consent and the ‘right to erasure’: the GDPR requires organisations to capture an individual’s consent to their data being processed. Consent under the GDPR requires some form of clear affirmative action; silence, pre-ticked boxes or inactivity does not constitute consent. As the consent must be verifiable, some form of record must be kept of how and when consent was given. And individuals have a right to withdraw consent at any time; their ‘right to erasure’ means that they can request deletion or removal of personal data from an organisation’s records.
For more information about the GDPR, you can visit the website of the Information Commissioner’s Office (ICO) http://ico.org.uk, the UK’s data protection authority.
Why cyber security is quite so important
For many organisations in the UK, the GDPR might be simply seen as an expensive upgrade to previous legislation. It increases the onus for self-reporting, as it’s now an offence not to report a data breach which your organisation knows about. Indeed, in 2018, there were nearly 2,500 self-reported data breaches in the UK. But it’s not simply about increasing the cost of data protection compliance. For companies which manage and store data effectively, GDPR also represents an opportunity to understand their stakeholders’ needs better.
Even so, it’s vital that organisations protect personal data, or they will be pursued by the ICO. In 2018, the ICO imposed fines totalling £1.29 million to 11 UK firms for serious security failures of data protection. And they fined 11 charities over £130,000 for unlawfully processing data, mainly to do with consent over fundraising databases. But these fines were pursued under the older legislation, and the upper limit for fines has been raised under GDPR. Potential fines are now up to 4% of worldwide turnover or 20 million euros (whichever is higher).
Therefore cyber security more generally must be taken seriously across senior leadership in every organisation which collects personal information. The UK government’s National Cyber Security Centre (NCSC) has some useful advice in its ’10 Steps to Cyber Security’ https://www.ncsc.gov.uk/guidance/10-steps-cyber-security. And the NCSC’s Cyber Essentials scheme provides a benchmark for organisations to follow https://www.cyberessentials.ncsc.gov.uk.
CAS is a market leader in data protection and cyber security
Data protection is an area in which CAS prides itself, and we are fully compliant with the GDPR. We are registered with the Information Commissioner’s Office (ICO), registration number Z1281061. CAS identifies clients as data ‘owners’. We are a data ‘controller’ (according to the definitions outlined in the GDPR). CAS also acts as a data ‘processor’. However, this extends only to scanning documents and uploading scanned files to client-managed data banks on the secure and password protected CAS-Cloud.
CAS guarantees that data shall be processed lawfully, fairly and in a transparent manner. We will only process information in a manner that ensures appropriate security of the personal data. That includes protection against unauthorised or unlawful processing and accidental loss, destruction or damage. We use appropriate technical and organisational measures. The conditions for processing and the legal basis for scanning are defined by each client’s obligations around data retention and are covered in the contracts which we sign with our clients.
Our document shredding and IT equipment disposal services are also entirely compliant with the GDPR, as our clients remain data ‘controllers’ under the GDPR definitions. Again, we will always make this clear in any contract which we sign with clients who use these services.
If you’ve got questions about data security, give one of the CAS team a call today.
About Clarks CAS Archive storage solutions
CAS provides a comprehensive and secure document digitisation, information storage and facilities management service. For more than 20 years CAS have worked with NHS Trusts, Financial Services providers, and corporate and private clients. Our head office is just four miles from the City of London. Supported by our advanced storage centres across the UK. CAS has an impressive array of International certifications (ISOs). These certifications prove our compliance with the strictest national, European and international laws. They also demonstrate our commitment to provide innovative systems on security, confidentiality and quality control. CAS offers archive storage solutions at its secure document storage facilities for companies of all sizes and across every sector.