GDPR Misconceptions: From Paper and Cloud to Encryption and Breaches
The General Data Protection Regulation (GDPR) is a comprehensive regulation that enters the statute books on 25 May 2018. It is a regulation that will seek to unify data protection law across all EU countries. What’s more, it has a broad territorial scope that applies to any and all businesses and organisations that handle, process or manage the personal data of individuals in the EU.
The GDPR requires organisations of all sizes to define and implement data protection measures that protect the personal data of consumers and employees. Organisations must put in place transparency rules that allow individuals to view and amend the data that businesses hold on them. It also requires businesses to protect the personal data that they hold and keep it secure, so businesses need to protect against data breaches.
Failure to comply with GDPR may amount to a maximum fine of up to EUR €20,000,000, or 4 per cent of global annual turnover. Therefore, it is imperative that your business understands its responsibilities in terms of complying.
GDPR was adopted by the European Union on 27 April 2016, with two years of transition before it becomes enforceable from 25 May 2018. During the build up there have been many questions about the regulations and how they will work in practise. Here we look at some common questions and misunderstandings concerning the printing, scanning and digital storing of data.
Does GDPR only apply to digital information?
While the main focus for many businesses will be on the auditing and storing of personal information in digital form, the new regulations also apply to data stored on paper.
The inherent problems with storing personal data on paper is that under the new rules, the processor needs to know where it is stored, how many copies of the information are available and user transparency, or how easily this information can be accessed in case of a user asking to view their data.
For many, the best way to comply with the new GDPR rulings will be to move away from paper and digitise all data. This can be done by scanning, capturing and storing either locally or to the cloud using a system that adheres to the new regulations.
Does GDPR apply to small businesses?
If your business stores the personal data of an EU citizen then it must comply with GDPR, regardless of the size of your operations. In some instances, concessions have been made to smaller operators but the regulation states ‘the processing of data or monitoring of individuals’ must be part of the core business of the company as a condition. Therefore, it is best to assume your business needs to comply with the regulations.
Does GDPR apply to the US? Does GDPR apply outside Europe?
GDPR applies to any business that trades with any EU country and stores the personal data of any EU national within that country. This is an important step that needs to be understood, regardless of where the source business is trading from, if it has dealings in the EU then it must comply with GDPR or face heavy fines.
Does GDPR apply to the data that we store in the cloud?
Many companies believe that by placing their data into the cloud, it will be the responsibility of the cloud provider to be GDPR compliant and not the individual company. This is not the case and confusion could easily end in your being fined under the terms of the regulations.
As mentioned above, the GDPR regulations cover not only paper but also digital repositories. Anywhere your company stores personal data is covered by the regulations and therefore needs to be GDPR compliant.
Does encrypting our data mean we comply with GDPR?
If you store data online, encryption should already be in place and seen as a first step to protecting information. However, in and of itself, encryption is not enough to meet the needs of GDPR and could result in your business being fined.
Is GDPR the only regulation concerning data processing?
While GDPR supersedes much legislation across Europe and makes data processing a simplified process, it isn’t the sole directive that businesses of all sizes must adhere to. No matter the size of your business, you will also need to comply with individual national privacy rules that typically vary country by country.
If we comply with our national data privacy laws are we GDPR compliant?
As mentioned above, while GDPR aims to simplify many of the data processing rules across Europe, it does not interfere with the National Privacy Acts of individual countries. Therefore, while you may be GDPR compliant you will also need your business to meet the personal data regulations of the National Privacy Act in each country in which you operate.
Sharp’s comprehensive security offering, combining hardware and software products with our strong heritage in technical consultancy and managed print services, can help your business towards GDPR compliance.
If you would like to know more about how we can help you meet the needs of GDPR within your business, please Get In Touch.
European PR Manager