PAUL MATHER – DIVISIONAL OPERATIONS DIRECTOR SAYS:
The gap in knowledge across those I speak to both in this industry and outside is immense, with some comparatively aware and others unfortunately less so. However, there is one common theme. Businesses tend to view their databases as their core assets, (aside from their staff of course) and so their focus when it comes to GDPR tends to be targeted at this.
What most seem to be forgetting for the time being is that data isn’t just a collection of 1’s and 0’s stored on a hard disk somewhere. Whilst these days the majority of data collected and obtained is in electronic format, most businesses have huge volumes of hardcopy data – some of it recent and well used and some of it which has been sat untouched in the bottom of a cupboard for a decade or so. When it comes to hardcopy data, one of the largest area’s that we tend to forget about among the day-to-day running of an organisation, is that of your staff.
Even under the outgoing data protection legislation businesses should have a clear and understood data retention policy and GDPR reinforces this. If I was to ask the reader how long their company keeps ex-staff records for example, what about staff payroll information, sickness and absence from work forms, maternity forms? etc I suspect that there will more than few feeling a little uncomfortable. Leaving the myriad of requirements aside, GDPR states that Personally Identifiable Information be kept only for as long as is reasonable for the purpose that it was collected for. Having that personnel file for Sally who used to work in finance 10 years ago is perhaps seen in a new light.
As I say this is nothing new and indeed the current DPA says much the same thing but GDPR is a much stronger regulation with significant fines. Organisations should take advice to what an appropriate retention policy would be for their business operation. Retention has, in fairness, always been a minefield not being specifically defined in either the DPA or GDPR. This could well be different for individual companies but among the demands of cyber security over the next few years don’t forget the physical security side.
One thing is for sure, there’s a boom time coming for shredding companies!