The Data Protection Act which was an EU directive (95/46/EC) which will be repealed on 25th May 2018 to be replaced by the General Data Protection Regulation (GDPR) which will bring with it additional responsibilities for the capture, use, storage and dissemination of Personal Data.
There will be implications for both your Human Resources (HR) and Information Technology (IT) Departments .
How Can Document Scanning Help You?
Allan Webb Ltd our parent group is a proven technical documentation house with a commercial scanning facility. We are ISO 9001:2008 and ISO 27001 accredited.
If you hold any data in hardcopy relating to staff or and other persons you will need to understand that such documents are in the scope of GDPR and thus must be lawfully, processed and adequately protected from accidental or malicious disclosure and stored appropriately and be able to be retrieved efficiently.
The new act could mean a fine of 20 million euros or 4% of you worldwide turnover, whichever is more if you are found to be processing personal data unlawfully. Other fines can occur in the event of a data breach for which the Information Commissioners Office (ICO) are not informed within 72 hours of the breach being identified.
Not sure what documents you are holding in storage or generally in hardcopy?
Scanning your documents and working with them digitally in PowerRetrieve puts you in complete control. It gives you instant and permission based access to the documents you need. The searching function is easy and the system will only show users documents they are allowed to access so security of the document in also controlled. Audit logs are created to track users requests.
Contact us today to discuss the options available.
GDPR significantly enhances the rights of employees in respect of personal data collected upon them to be:
Processed fairly and lawfully
Collected only for specified, explicit and legitimate purposes
Adequate, relevant and limited to what is necessary
Accurate, and where necessary, kept up-to-date
Kept for no longer than is necessary
These underpin the 3 prime principles:
The Right to Information– Employers will need to provide detailed information as to the how and why personal data is processed;
The Right to Access & Rectify– Employees have a right to request information that is held on them inclusive of: why it is being processed, to whom it is supplied, the period for which the data will be stored and a right to restrict the supply of that data and or rectification of inaccurate data.
The Right to be forgotten– Employees have the right to have Employers erase personal data in certain circumstances.
Some Key definitions
Personal Data means: any information relating to an identified natural person (data subject); an identifiable natural person, is one who can be identified, directly or indirectly, in particular by reference to an identifier such as: Name, ID No, Address, other factors such as physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Data Controller means: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and mean of processing personal data.
Data Processor means: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
How to Prepare for GDPR
Decision makers and key people in your business are aware that the law is changing to the GDPR and appreciate the impact this is likely to have. Your business has identified areas that could cause compliance problems under the GDPR and has recorded these on your organisation’s risk register. Your business is raising awareness, across your organisation of the changes that are coming.
Your business has set out the management support and direction for data protection compliance in a framework of policies and procedures. Your business monitors compliance with data protection policies and regularly reviews the effectiveness of data handling / processing activities and security controls. Your business has developed and implemented a needs based data protection training programme for all staff.
- Information you hold
Your business has documented what personal data you hold, where that data came from and who it is shared with. Your business has planned to conduct an information audit across the organisation to map data flows.
- Data Protection by Design and Data Protection Impact Assessments
Your business has implemented appropriate technical and organisational measures to show you have considered and integrated data protection into your processing activities. Your business understands when you must conduct a DPIA and has processes in place to action this. Your business has a DPIA framework which links to your existing risk management and project management processes.
- Data Protection Officers
Your business has designated responsibility for data protection compliance to a suitable individual within the organisation. Your business has appointed a Data Protection Officer (DPO) if you are a public authority or you carry out large scale monitoring of individuals or you carry out large scale processing of special categories of data or data relating to criminal convictions and offences. Your business supports the data protection lead through provision of appropriate training and reporting mechanisms to senior management.
- Lawful basis for processing personal data
Your business has reviewed the various types of processing you carry out. You have identified your lawful basis for your processing activities and documented this. You business has explained your lawful basis for processing personal data in your privacy notice(s).
Your business has reviewed how you seek, record and manage consent. Your business has reviewed the systems currently used to record consent and implemented appropriate mechanisms in order to ensure an effective audit trail.
If your business offers services directly to children, you communicate privacy information in a clear plain way that a child will understand. If your business offers ‘information society services’ directly to children, your business has systems in place to verify individuals’ ages and to obtain parental or guardian consent where required.
- Communicating privacy information
Your business has reviewed your current privacy notices and has a plan in place to make any necessary changes in time for GDPR implementation.
- Individuals’ rights
Your business has checked your procedures to ensure that you can deliver the rights of individuals under the GDPR.
- Subject access
Your business has reviewed your procedures and has plans in place for how you will handle requests from individuals for access to their personal data within the new timescales outlined in the GDPR. Your business has reviewed your procedures and has plans in place for how you will provide any additional information to requestors as required under the GDPR.
- Data breaches
Your business has implemented appropriate procedures to ensure personal data breaches are detected, reported and investigated effectively. Your business has mechanisms in place to assess and then report relevant breaches to the ICO where the individual is likely to suffer some form of damage eg through identity theft or confidentiality breach. Your business has mechanisms in place to notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.