Are your personal data records GDPR compliant?
Unless you were living under a very large stone last year, you will be aware that the new General Data Protection Regulations (GDPR) were introduced in May. They’ve come into force to help the likes of you and me take back control of our personal data, which is a good thing, but at the same time, they have serious implications for any organisation that processes and holds personal data.
A lot of organisations hold physical records of personal data, whether that’s on their own premises or in a third party storage facility. We thought it would be useful to look at what issues GDPR might cause your organisation and what solutions you can put in place to avoid investigation and a potential fine by the Information Commissioners Office (ICO).
A brief look at GDPR
It would be remiss of us not to provide a quick introduction to GDPR. In brief, it’s an EU regulation that came into affect on 25th May 2018, and affects all companies (whether they are inside or outside the EU) that hold and process EU citizen’s data. It also provides individuals with certain rights. For example as an individual we can demand to know what personal data of ours a company is storing. We also have to agree the stated purpose for the use of that data, and we have the right to be forgotten i.e. we can withdraw consent and the company in question must delete our data.
What is personal data?
According to the ICO, personal data is information that relates to an identified or identifiable individual. It could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier. For the purposes of this blog, we’re focusing on hard copy personal records and how they should be stored, processed, recorded and deleted.
What are your GDPR obligations?
For organisations storing and archiving personal data records, there are a number of GDPR obligations that must be met. Unfortunately the penalties for failing to do so are potentially quite high - the maximum fine is €20 million or 4% of the global annual turnover of a business (whichever is the greater).
Here are some of your obligations:
You must only hold data that you actually need.
You need to think about, and be able to justify, how long you keep personal data. This will depend on your purposes for holding the data.
You must not keep personal data for longer than you need it.
You need a policy setting standard retention periods wherever possible.
You should also periodically review the data you hold, and erase or anonymise it when you no longer need it.
The data must be kept secure.
You must respect people’s right to be deleted/removed.
You must make sure you can easily access and provide the data you are holding if it is requested by an individual.
You must securely destroy data that you don’t need any more.
How compliant are your personal records?
We’ve whittled the list down to three main areas that you, as an organisation storing physical personal data, need to address. Can you provide right of access to the data in the event of a request? Can the records be deleted easily and securely? Are they stored securely?
Let’s look at each one in turn.
Can you provide right of access to the data in the event of a request?
An individual has the right to find out if your organisation is using or storing their personal data. They can exercise this right by requesting a copy of the data, which is known as a ‘subject access request’. As an organisation you have a month to respond to the request. If your records have not been recently audited and it’s hard to access the filed, this is likely to cause a problem. If you do not respond or the individual is dissatisfied, they can make a complaint to the ICO or seek to enforce their rights through the courts.
That’s why we strongly advise you to undertake an audit of your physical records and keep an up-to-date report on what is stored and where, so you can access them in reasonable time. Here at Clares we can undertake a physical audit of all your files and records as part of the process of moving them to one of our archive storage facilities. All files are logged in an online portal, which you as an organisation can securely access. Personal records can then be searched for and requested at the touch of a button.
Can the records be deleted easily and securely?
If an individual feels that your organisation no longer needs their data or they withdraw consent for you to use their data, then they have right to erasure, or the ‘right to be forgotten’. As an organisation you have one calendar month to respond to the request and securely delete the records. Again, if your records are not audited and accessible, this can pose a problem. Your organisation also needs to have an agreed policy setting standard retention periods, after which personal data should be deleted.
At Clares we give each storage box that enters our storage facility a unique identity number. This can be used to manage your records and identify their exact storage location using our online system. For quick and easy access, we also use a state-of-the-art Radio Frequency Identification (RFID) tracking system. This provides high levels of accuracy and efficiency far beyond standard barcode management. In addition we provide weekly audit reports which will flag any records that are outside of your agreed retention period, and can therefore be deleted. Of course, deleting obsolete files delivers the added advantage of reducing your storage requirements and associated overheads.
Are they stored securely?
The final challenge in meeting your GDPR obligations is ensuring that you are keeping all personal data, properly secure, so that details can’t be accessed and used by anyone else. At Clares we meet these strict obligations by providing monitored storage facilities, each of which has gated perimeter fences, 24/7 security patrols and advanced CCTV. In addition, our gate staff require ID from anyone entering the facility and building entry is controlled with Suprema BioEntry W2 outdoor vandal-proof fingerprint IP access terminals. This provides the latest fingerprint algorithm coupled by powerful quad-core CPU and LFD (live finger detection) technology. We think you’ll agree, your personal records will be safe with us.