It’s not as if 25 May has etched itself into calendars the way that 25 December has. But on 25 May 2019, it was exactly one year since the General Data Protection Regulation (GDPR) came into force across Europe. In the run-up to GDPR day a year ago, many organisations worked hard and spent heavily to prepare for the changes. One year on, we thought it was worth reviewing how GDPR has shaken down – and potential areas of weakness which might remain for some organisations and their document storage protocols.
What has changed under GDPR
In many ways, GDPR has given data subjects – i.e. the individuals whose data is captured – greater power. The definition of personal data has been upgraded to include online identifiers (e.g. an IP address). You’ll probably have noticed that over the last year you’ve been asked to accept cookies more often when you visit websites for the first time. That’s because if a website is using tracking or other cookies, they need to get your explicit permission to hold that data on you. Similarly, sensitive personal data has been extended from demographic data (e.g. age, ethnicity) to include biometric data.
As well as more stringent rules on capturing consent, this can be more easily revoked at any time. Consent under GDPR requires some form of clear affirmative action; silence, pre-ticked boxes or inactivity does not constitute consent. As the consent must be verifiable, some form of record must be kept of how and when consent was given. And individuals have a right to withdraw consent at any time; their ‘right to erasure’ means that they can request deletion or removal of personal data from an organisation’s records.
Data protection breaches under GDPR
Under GDPR, organisations must guarantee that data shall be processed lawfully, fairly and in a transparent manner. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The Information Commissioner’s Office (ICO) recorded a sharp rise in data protection complaints in the immediate aftermath of the GDPR implementation. In five weeks to end-June 2018, the UK’s data protection watchdog recorded 6,281 complaints, over twice as many year-on-year.
A survey by the law firm DLA Piper showed there were 10,000 data protection breaches in the UK in the first eight months after the implementation of GDPR. It appears that the onus on organisations to self-report is driving data breaches into the open. And the stakes are higher now that organisations can be fined up to 4% of their annual global turnover. The largest fine to-date under GDPR has been £44 million by the French data protection authority against Google for failure to capture consent around online advertising. Other major fines are sure to follow – and we’ll keep you updated.
O&H Archival meets GDPR requirements
We wanted to remind our customers that our paper document storage services also meet the required standards for data protection. More often than not, we act as data controller, while our clients retain their status as data owners. For instance, that means that our clients might receive a request to delete all the personal data they hold on an individual. As mentioned above, this right to be forgotten is one of the rights which has been enhanced under GDPR compared to previous data protection legislation. If a client using our offsite document storage services receives such a request, we can work with them to ensure that this request is fulfilled.
To find out how O&H can help your organisation comply with GDPR, contact one of our team today
Call: 0800 9155421
About O&H and GDPR
O&H provides comprehensive and secure document storage, scan on demand, and shredding services. For more than 100 years, O&H has worked with NHS Trusts, Financial Services providers, and corporate and private clients. O&H has an impressive array of international certifications (ISOs). These prove our compliance with the strictest national, European and international laws. They also demonstrate our commitment to provide innovative systems on security, confidentiality and quality control.