Ian Osborne, vice president UK and Ireland for document destruction service provider Shred-it highlights the importance of being up-to-date with data protection best practice as Brexit approaches
This article is the view of the author and not necessarily of Ready for Brexit
Since 23 June 2016, Brexit has dominated the news agenda. No matter where you live or what line of work you are in, you will not have escaped the constant drum of media commentary surrounding the UK’s relationship with the EU, if, how and when we will leave, and what this will mean for business and society as a whole.
Whether you’re gripped by the Brexit debate, or sick to death of the subject, there is no avoiding the fact that it will have enormous repercussions. With this firmly in mind, businesses up and down the country have been steadily preparing for the eventuality of Britain leaving the European Union.
The truth is, Brexit presents an array of challenges – and indeed opportunities – for small and medium sized enterprises (SMEs). And one crucial aspect that business leaders must be aware of is data protection and how leaving the EU will affect their operations in terms of data security.
Recent guidance from the Information Commissioner’s Office (ICO) confirmed that whether we leave the EU with or without a deal, most of the data protection rules affecting SMEs will remain the same. The good news is that UK businesses that comply with GDPR and who have no contacts or customers in the EEA don’t need to do much more to prepare for data protection after Brexit. However, UK companies that receive personal data from contacts within the EEA must take additional steps to ensure that they are fully compliant after Brexit, which may require designating a representative in the EEA.
Brexit aside, there remain questions as to how compliant with GDPR small businesses are across the UK, despite it being over a year since the legislation was introduced. To gauge the attitude of businesses, Shred-it commissioned a survey of 1,439 UK-based SMEs. The Shred-It survey found that 72% of respondents said they were very aware of GDPR.
While this is positive news, the biggest concern is whether or not the confidence in GDPR-readiness is justified. Less than half (45%) of the organisations who said they were ready to deal with data protection requirements, also said they had reviewed their data protection policies recently. Just over a third had emailed their customers to confirm consent to data use, less than a quarter had published a privacy notice, and just over two in ten had reviewed, deleted or destroyed personal data.
These results suggest that SMEs need to take a more proactive approach to data protection. First of all, businesses must stay up-to-date with privacy laws and understand what action – if any – they need to take to comply – particularly post-Brexit. The ICO website provides clear guidance on this.
It is also important to remember that data protection refers to both digital information, as well as paper records. For digital data, companies can take simple steps to ensure that they comply with GDPR, including setting secure usernames, passwords and PINs for all devices, installing anti-virus software and a firewall on hard drives, avoiding posting confidential information on social media, avoiding the sharing of files on public Wi-Fi, and avoiding opening files or links from an unknown sender.
As with digital data, companies should also have strict internal procedures in place to deal with the protection of paper records. Inadequate long-term storage of paper documents, such as archives with unrestricted access, are a key point of vulnerability. Important documents containing personal information left on printers, desks and in bins overnight are also a compliance risk.
Best practice should include providing locked confidential information consoles that are easily accessible and introducing clean desk policies for everyone in the company. Businesses should also arrange for the secure destruction of documents after use or after prescribed periods of mandated storage, keeping only digital copies of essential files in an encrypted format.
Most important, however, businesses must have a strict policy on data protection that is communicated clearly across the organisation and updated whenever necessary, in order to avoid a potential breach and the inevitable repercussions that will follow.