There is little doubt that data is the hallmark of business today; we live in the ‘information age’ for a reason – data is ubiquitous and it drives enterprise. And while data has always featured in working life to some degree, nowadays it plays a far more prominent role, both strategically and operationally. Indeed, some argue that we now live and work in a ‘data economy’, such is the extent to which information plays a role in short and long-term business plans. But while this data offers transformative powers that few could have even dreamed of just 10 years ago, this information is also laden with risks. The UK government anticipated this with the introduction of the Data Protection Act in 1998 as businesses began to migrate over to digital practices, and now the GDPR will take precautionary measures even further – with good reason.
But as we head towards an increasingly digital workplace, the need for diligence with historical data is now more important than ever. Failure to comply with GDPR regulation will result in heavy penalties and disruption to operations as inspectors investigate an organisation’s data handling practices. Infringement can bring fines of up to 4% of annual global revenue or up to €20,000,000, and can be imposed for both breaches and administrative errors – clearly the need to get it right first time is clear. Coupling this threat with the fact that businesses generally keep far more data than is necessary brings the issue into sharper focus. With this in mind, and the deadline drawing nearer, here are some implications for leaders to consider as this regulation comes into full effect – particularly if they are planning a major office relocation when threat of data breaches is at its highest.
Historical data: getting the physical documents in check
The GDPR is often discussed and understood as a digital legislation – mostly concerning itself with mitigating modern database and network vulnerabilities – and while that is certainly the case, it also encompasses physical data handling practices. You could be forgiven for thinking that nowadays no business uses a paper-based filing system, but it’s still quite common. In fact, many financial and legal documents require a physical version in existence as a matter of statutory compliance. Clearly, then, the requirement to get all physical data in check is critical, not only to be GDPR compliant, but also to ensure that businesses are prepared for relocation. Failure to do so will place both relocator and client at risk of negligence, allowing plans to delay, costs to spiral, and reputations to fray. If your organisation is looking to move in the near future, ensure that filing processes are as up to date as possible and any potential obstacles are communicated with a specialist before initiating a physical move. Doing so will ensure relations remain intact in what can often be a highly stressful time for all parties.
Ease of access is paramount
The GDPR will require any information held on file to be accurate and able to be easily divulged with all relevant authorities. It will also demand that organisations erase information in a timely fashion to minimise the risk of security breaches. Clearly, then, firms that are looking to move will need to have measures in place to ensure that these requirements can be met, placing a considerable amount of importance on location and availability. GDPR will ask that organisations keep ‘deep storage’ data in easily accessible, but safely secured, parts of their building(s) and ensure that access to this information is managed carefully. Clients will therefore need to notify relocation specialists on the scale of their inventories so that suitable storage locations can be marked-out within a new site. Full understanding will also ensure that files are safely secured throughout transit between sites A and B, which is especially important if a relocation project is scheduled to be carried out over a number of weeks or months. Again, this is an instance that is particularly concerned with ‘physical’ information, but even digital data is often stored on a device of some kind, so there should be as much attention given to old hard drives, CDs and USB sticks as there is to paper files and other ‘analogue’ means of storage. Importantly, business leaders should always check that the chosen commercial relocation partner has specialist IT and data moving experience to ensure that they are comprehensively covered.
Should it stay, or should it go?
As mentioned, GDPR will ask that data be erased in a timely fashion to avoid security breaches – indeed, improved security and data integrity are the main tenets of this new Europe-wide regulation. Thus, having an understanding of what needs to be kept and what needs to be destroyed throughout relocation is critical – particularly if the operation wishes to remain lean, compliant and cost efficient as it moves into new premises. A business has little to lose if it stops gathering ‘excess’ data, and everything to lose by continuing to do so. Ultimately, when deciding on relocation business leaders need to ask themselves:
After understanding these points, and deciding what to keep on file, the organisation then needs to create a process for informing users about how they intend to use the information – while also gaining authorisation to do so. Business leaders should therefore have personnel in place to oversee this process and be careful to select a relocation specialist with the capability to confidently oversee changes to inventories and data designated for destruction. Doing so will ensure moving is carried out with minimal disruption and remains GDPR compliant before, during and after a project is completed.
Knowing who is liable
While a commercial relocation specialist and its client will have contractual agreements and contingency planning in place to assure compensation in the event of a mishap, it’s important to note that once a relocation is complete the burden is solely with the client to remain GDPR compliant. Relocation specialists will be able to advise and suggest ways in which to do this, but ongoing maintenance is ultimately the responsibility of the organisation in ownership of the data. This is an especially important point to keep in mind if a business is considering third-party storage solutions. While this reduces the need for real estate and storage capacity, data management still needs taking care of. Moving files off site makes modification, access and destruction of data more difficult, so businesses looking to move should be mindful of this attractive but potentially difficult option.
Steve Talbot – Managing Director of IT Efficient, a division of the Harrow Green and Restore Group
Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses
Originally published by GDPR.Report
COMPLIANCE BRIEFING: LONDON
12 OCTOBER 2017
COUNTY HALL, LONDON