FMs need to be aware of front-end and back-end GDPR compliance, says Ian Osborne.
05 August 2019 | Ian Osborne
The General Data Protection Regulation (GDPR) celebrated its first birthday in May and, so far, regulators have seemed keen to work with businesses rather than punish every transgression.
Is the strategy working? Shred-it's recent survey of business attitudes towards the regulation suggests a high degree of awareness of GDPR, and companies are confident in their ability to comply with the law.
But our findings also raise concerns that businesses have focused disproportionately on front-end activities such as cleaning up email lists or digitising and encrypting building access records and sign-in books. There's been less attention on back-end compliance, which is where FMs may find themselves bearing greater responsibility.
The state of SMEs
Our researchers found 72 per cent of SMEs were "very aware" of the requirements of GDPR and, when asked about their readiness, nine in 10 rated themselves at four or five out of five.
Other findings show:
- 60 per cent reported the recent changes to data protection have had a 'slight' or 'no' impact on their business;
- 8 per cent did not know;
- Fewer than half of the firms that had said they were equipped for GDPR had reviewed their data protection policies recently;
- 23 per cent had an in-house data protection officer; and
- Less than a fifth had reviewed and destroyed unnecessary data.
All of these processes could broadly be classified as 'back-end' compliance issues. They are easy to miss, but regulators are unlikely to continue to take a benign view of organisations that experience a data breach if their attitudes towards the law have been superficial.
Front vs back-end compliance
What constitutes best practice when it comes to data handling of paper records from a security point of view?
- Front-end compliance: This might be as straightforward as implementing a 'clean desk' policy. Personal information left unattended on a desk might constitute an investigable incident if it is copied or stolen. It might also include making sure that disposal of documents is correctly carried out and that paperwork containing personal data is placed into locked bins that are regularly emptied and the contents verifiably destroyed.
- Back-end compliance: Requires company-wide policies about accessibility to be drawn up and implemented. These policies should be based on thorough risk assessments that take into account the specific work environment, and be regularly revised. They should also cover training and support for staff: having a 'clean desk' policy is one thing, enforcing it is another.
Digitalisation has an important role to play. Any EU citizen has the right to apply for a 'data subject access request' so they can view and correct records of their information held by a company.
- Scanning and storing paper records in an encrypted archive from which data can be retrieved when necessary.
- Processes governing the filtering of archive material for information that poses an unnecessary risk to store.
- Paper records should be securely disposed of and their destruction guaranteed.
For example, companies should be digitising and encrypting access control records to ensure that paper sign-in books aren't easily accessible by the public.
But are they then restricting the number of people who can read those digital records too? Are security and front desk staff aware that the data they handle is subject to GDPR? Full data security demands cultural change in an organisation and a shared understanding of the responsibilities.
The first year of GDPR has been busy, but regulators have not been heavy-handed. However, there's no reason to expect any leniency in future.
Best practices exist to help FMs achieve full compliance, and external consultants can help with implementation, but if they aren't put in place a breach could prove costly.
For the survey: tinyurl.com/shredit-GDPR
Ian Osborne is vice-president, UK & Ireland at Shred-it