GDPR isn’t done and dusted. At OnTimeShred we work closely with organisations to help ensure there are no data protection breaches at the point of disposal of paper-based records. Many organisations are acutely aware of their obligations under the GDPR. However, as time goes by, it’s easy to become blasé and forget just how important the GDPR is.
Part of this is because the media went crazy over the implementation of GDPR. We focused heavily on what needed to comply in advance of 25th May 2018. The same media attention isn’t being paid to the enforcement actions (including fines and compliance actions) which have taken place in recent months.
The impact of data protection infringements
In the worst case scenario, fines for breaching the GDPR can be equivalent to 4% of an organisation’s annual global turnover, or up to €20 million. It should, however, be noted that fines can be to the highest of these two amounts.
In fact, this is really quite a worrying problem. According to the EU GDPR Implementation Review Survey undertaken by IT Governance, the majority of organisations still weren’t implementing the regulations six months after introduction. Indeed, only 29% of those surveyed reported that they had implemented all necessary changes.
It’s not surprising, therefore, that we are already seeing quite notable enforcement action under the GDPR, for example by the ICO in the UK. The French data regulator, CNIL, has just issued a €50 million to Google for breaching the data protection rules.
Infringements of GDPR
There was an initial flurry of complaints under the GDPR. This saw claims brought against big names such as Facebook, WhatsApp and Instagram. However, the media didn’t particularly pick up on these. In total, 67 enforcement actions were brought by the ICO last year.
Yet, Giovanni Buttarelli, the European Data Protection Supervisor, in October said that they expected to see the first sanctions, specifically to do with GDPR infringements, by the end of 2018. He stated: “I expect [the] first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, impose a preliminary ban, a temporary ban or to give them an ultimatum.”
Indeed, that turned out to be the case, with the first European-wide fine imposed in Austria against a betting shop. This was connected to the misuse of a security camera. However, from there, further fines have followed.
It’s also been interesting to see that so far, the fines imposed have been on the conservative side. However, with larger scale data leaks of high profile companies of recent months such as British Airways, we could well start to see much harsher fines.
Action in the UK
When we look at UK specific action and fines, the picture is perhaps even more concerning. Two examples stand out.
Firstly is the notice given by the ICO to AggregateIQ Data Services Ltd which is actually a Canadian company using personal data for marketing. The ICO has requested the company stops using EU data.
The second is against Uber. The ICO have fined Uber £385,000 on 26th November 2018 for personal data leaks which occurred during a cyber-attack.
At the moment, paper records seem to be comfortably away from the spotlight. It makes sense that this would be the case because the GDPR extended previous data protection legislation specifically so that it afforded greater protection in the digital age.
However, that doesn’t mean we can get lackadaisical regarding how we handle paper-based personal data and ensure its protection.
How to ensure paper records are secure at disposal
One of the biggest risks concerning paper-based records is at the point of disposal. It is relatively simple and straight-forward to have filing systems and protocols which keep relevant and current paper documentation secure. When we need to dispose of it because it is no longer relevant, or the data subject has requested its destruction or deletion, how do we then ensure its security?
That’s where OnTimeShred comes in. We offer a range of different document destruction services which ensure that even at the point of destruction (and awaiting destruction), there is no compromise to security.
With both secure onsite shredding and secure offsite shredding, you can choose the right service for your business and the type of paper records you hold. In addition, we help you ensure security between when disposing of the document and when it is destroyed through shredding. This is made possible through secure storage bins and lockable disposal cabinets.
To discuss your requirements regarding secure paper record disposal, call us now on 0330 333 1234.