What Is GDPR Compliance
It is a service offered by UK Document Management which is helping organisations with their GDPR compliance.
Our experience in document scanning and document management allows us to offer bespoke scanning services that meet the needs of any organisation. Our GDPR compliant scanning services allows any paper or microfilm document archive to be converted into more useful electronic formats such as PDF. This means organisations are able to streamline their data processes and demonstrate they comply with the requirements of GDPR.
Converting to electronic formats benefits GDPR compliance in a number of ways such as reductions in costs, saved times, more secure and much more. These benefits are explained in greater detail below.
Save Time & Money With GDPR Compliance
GDPR will bring increased requests for information by individuals, right to access, right to be forgotten, etc. Organisations will only have 30 days to comply with these requests down from 40 days and can no longer charge a fee. This all means increased work load and increased costs for organisations who still work with physical documents.
Converting physical documents into electronic files allows organisations to mitigate the extra workload. This is achieved due to the significantly reduced retrieval times associated with electronic files when compared to physical documents. Retrieval times for electronic files can be measured in seconds and minutes whereas physical documents are usually measured in hours and even days if external storage is used.
With physical documents it is almost impossible to tell how many copies of a document there are and where every copy is located. This is a nightmare situation for GDPR compliance as every copy of every document must be located and disclosed when a person requests their personal data. The concept of ‘security by obscurity’ is no longer a valid excuse for not fully disclosing information.
Secure Your Data With GDPR Compliance
GDPR introduces the concept of ‘Data protection by design and default’ which means that organisations need to make sure their data handling processes are kept secure. Converting physical documents into electronic formats means that it is easier for organisations to secure their data and adhere to the concept of ‘Data protection by design and default’.
The reason electronic data is easier to secure and keep private is because it can be kept in a central location where it can be securely managed with access limited on a per user basis. This is vital for GDPR compliance as organisations are legally obliged to restrict access to personal data to just the people who need the access.
Physical documents are vastly more difficult to keep secure, track and manage access to. No matter how advanced the booking in and out process there is always the risk of data loss due to human error. Once a physical document is lost there is nothing stopping anyone reading the contents of the document. Whereas lost electronic files are virtually impossible to access without knowing the password if appropriate encryption has been used.
Other Benefits of GDPR Compliance
• Simplifies managing data retention periods and makes disposing of data past its retention period so much easier. This is important as it may be illegal to possess that data after the retention period has passed.
• It is possible to set up a system that logs who has accessed the electronic data. Making it possible to identify sources of possible data breaches and reduce the impact of a data breach if it ever did occur.
• Converting documents to electronic format means there is no need to have rooms full of filing cabinets and stacks of boxes of documents. This means less cramped offices and more space for expansion.
• Getting rid of physical documents means no need for staff to spend hour’s tediously looking for that one piece of information. All this means greater staff morale as they will be able to concentrate on their actual jobs rather than digging through documents in dusty storage rooms.
What Is GDPR?
The General Data Protection Regulation or GDPR for short is a new set of data protection regulations that will come into force on 25th May 2018 across the EU.
GDPR will standardise data protection legislation across the EU and will replace the UK Data Protection Act (DPA) (1998) in the UK. The introduction of the new GDPR legislation in the UK will not be affected by Brexit, this has already been confirmed by the UK Government.
The scope of the data protection legislation in the UK will be significantly expanded with GDPR and will be much more wide reaching than the existing UK DPA (1998). There will be a number of new rights that grant individuals greater control over their personal data. Organisations will need to comply with these new rights as GDPR introduces new powers which allow for significant fines for non-compliance.
Who Does GDPR Apply To?
GDPR will cover any business that collects or stores data of individuals residing in the EU. This means that GDPR even applies to companies not based in the EU, they will still have to comply if they wish to legally provide services in the EU.
GDPR will applies to both “Data Controllers” and “Data Processors” and is relevant to companies of all sizes in any industry. A “Data Controller” is responsible for controlling how and why personal data needs to be processed. Whereas a “Data Processor” is responsible for the management and processing of the data.
Most companies will be classified as both controllers and processors under the GDPR regulations. However if processes involving personal data are outsourced then it is likely the controller and processor will be different companies. Under GDPR even if a company is just the controller it is obliged to ensure any contracts with the data processor comply with GDPR.
When Does GDPR Come Into Force?
GDPR will come into force from 25th May 2018.
There has been a 2 year transition period that started in April 2016 when GDPR first became law. The 2 year transition period is intended to give companies the time needed to make significant changes to their processes in order to comply.
Any further extensions or grace periods are unlikely to be given after the May 2018 deadline due the length of transition period already given.
What Are The Requirements Of GDPR?
Article 5 of GDPR sets out a number of key principles.
• Data must only be collected and processed for a specified, explicit and legitimate purpose.
• Data must be adequate, relevant and limited to what is needed for the purpose the data is being processed.
• Data should only be kept for as long as required for the purpose the data was processed.
• Organisations must process data relating to an individual lawfully and in a fair and transparent manner.
• Organisations must ensure the data is accurate and kept up to date. Every reasonable step must be taken to make sure inaccurate data is corrected or erased without delay.
• Processes should be designed so that security, integrity and confidentiality of personal data is maintained at all times.
Article 5 also requires a “Data Controller” to be able to demonstrate compliance with these principles.
What Is “personal Data”?
In the GDPR legislation personal data is broadly defined as “Any data that relates to an identified or identifiable individual.” Things such as Name, address, age, gender, contact details, etc are all covered.
The scope of GDPR is not limited to the above items of personal data, there are a broad range of data types are covered, such as:
• Employee information.
• Financial information
• Location data
• Biometric data
• Customer service and feedback data
• Customer lists
• Online identifiers such as IP addresses
• CCTV footage
Article 9 of GDPR refers to “special categories of personal data” which have further more strict rules relating to collection and processing. These special categories include things like health / medical information, race / ethnic origin and sexual orientation.
What Are The Consequences Of Non-Compliance?
Under GDPR legislation there will be significantly increased fines for company’s found to be non-compliant. Once GDPR comes into force the upper limit for fines will be increased to 20 million Euros or 4% of annual global turnover. As a comparison the UK DPA 1998 allows for fines up to £500,000.
As well as fines GDPR gives provisions for individuals to bring civil litigation against companies for GDPR breaches and infringements.