Many of us are suffering from GDPR fatigue. All articles, news reports and internal meetings are essentially repeating the ICO's main principles and broad steps needed to become compliant. The word journey is also banded about, suggesting if steps are being taken, and can be proved, you'll avoid the hefty fines which now act as the GDPR stick.
However, three months on GDPR is slowly starting to feel like something real, rather than something hypothetical found in a business text book.
Within the first month of GDPR, the ICO received 1,124 complaints about data breaches. Mainly from individuals, but sometimes from organisations proactively informing the ICO of breaches. This was a sharp increase from previous years, but it appears not a knee jerk reaction that was to abate. Now the ICO has released data from the first three months, and it has received 6,281 complaints. This averages around 2,500 complaints a month for months two and three.
If you then compare to 2017, the ICO only received 2,417 in total over the same three-month period, a 300% increase. Clearly, individuals are not only aware they have rights now but feel empowered to do something about it.
So, has everyone in the UK read the GDPR policy and do they know when to complain?
I highly doubt it, but data breaches are news headlines, and not only that they are high profile. So, while the nuances might still be a problem, stories such as Facebook/Cambridge Analytica are well known, and without knowing all the details can provide individuals with a general sense of personal data ownership and rights, and a confidence that companies can be held to account.
Without a doubt the number of organisations that approach Restore with requirements that stem from GDPR concerns has risen sharply, especially over the last two months. And this isn't just organisations that are worried about how they hold customer data, but increasingly HR teams worried about their employee data.
What is worrying organisations the most? Where are their weak points?
From our internal research a lot of organisations are worried about what they call dark boxes of data - i.e. stored boxes whose contents are unknown; and the amount of archive paper data. This paper data is hard to categorise and know quickly and simply what you hold on an individual. As data becomes increasingly digital, individuals can have some data on paper and some stored electronically.
This makes organisations uncomfortable that they can quickly reply to SAR requests, and most importantly keep up to date with retention periods.
What are retention periods and why are they important?
With the Facebook/Cambridge Analytica scandal we learnt about data harvesting, where individuals hand over data believing it's just for one thing, e.g. an innocent game/quiz on Facebook. However, that information might be sold on, along with other information Facebook harvests or, the game itself might be created by a data company like Cambridge Analytica which wants to use that data for other commercial uses. Basically, a sense of tricking the individual.
T-Mobile is another organisation who seems to be constantly in the news with data breaches. Their issues are around data security and unauthorized access.
However, data breaches aren't just these high-profile examples, that most companies have high up on their risk agenda. Not adhering to retention periods are still classed as data breaches.
When you hold individuals' information, each type of information has a retention period - this is how long you must keep the information on file, and then a time when it must be deleted, and you are no longer allowed to hold that information.
And for HR Teams this isn't as straight forward as after X years delete all data held on a previous employee. Each type of information has different retention periods, so information about maternity will have a different retention period to next of kin/emergency contact details, to contract signed, to pension information. And this is when paper records make conforming to GDPR difficult, time consuming and manual.
Robots to the rescue
GDPR in a nutshell is about safe, secure, accurate information not kept longer than necessary. If you digitise, you can automate, and if you automate you can let robots keep you GDPR compliant.
A good records management system allows you to set permissions and rules for each bit of data, giving internal colleagues different access to information contained within one database.
A good database with robotics sat within it, can automatically remove data into recycle bins, ready for you to check and delete, once certain rules like retention periods are met.
And if you get AI involved, you can link data held in different databases on the same individual, so updates are replicated. AI can also pull information out of documents and process information if it is an invoice etc.
"If the 2013/14 Yahoo data breach happened today", commented Paul Moonan, Managing Director of Restore Digital, "the company would have faced fines anywhere in the region of $80-160 million. No matter the size of your company, this is a devastating amount. It is important to remove the manual aspect of data management. Not only is it time consuming but is prone to errors that can be costly. Utilising technology and robotics can make GDPR a simple task".
About Restore Digital
Restore is the largest UK-owned document management company, working with over 4,000 small, medium and blue-chip companies from our 100+ locations across the length and breadth of the UK. No matter where you're based, Restore always has an office or bureau nearby.
All our solutions stem from our unrivalled scanning capabilities. We have the largest fleet of IBML scanners in Europe and our document scanning service is second to none.
This core function of scanning is enhanced by our data capture and automated solutions that means paper documents aren't just turned into a PDF, but the data contained within them can work harder and be pushed to the right people or databases in a timely fashion.
For more information:
If you require more information regarding the article, or press/media enquiries in general please contact the Head of Marketing on 0333 043 5496 or email firstname.lastname@example.org
Spokespeople available for comment:
Restore Digital have a range of experienced, senior staff, used to working with the media to discuss a range of data and digital back office workflow issues. Whether it be GDPR, the affect of Brexit on Government Departments, the efficiencies within the NHS and the public sector, we have a pool of knowledgeable experts that can help and support media analysis of the latest news.