General Data Protection Regulation

boxit.co.uk

The General Data Protection Regulation (GDPR) comes into force on the 25th May 2018. It supplants national law in the EU and increases data subject rights with regard to their personal data

Covering both data controllers and data processors, it recognises and protects the rights of EU citizens as ‘digital citizens’ on a global basis, no matter where their data is processed.

As widely pubicised, infringements can potentially result in fines up to €20M or 4% of the company’s global annual revenue; also any person who has suffered damage as a result of infringement of the GDPR has the right to receive compensation.

Organisations will need to ensure that their operations demonstrate lawfulness, fairness and transparency. Personal data must be collected for specified, explicit and legitimate purposes and be adequate, relevant and limited to what is necessary. The data must be accurate and, where necessary, kept up to date. To meet data subject rights, personal data must be kept in a form which permits identification of data subjects for no longer than is necessary and processed in a manner that ensures appropriate security.

Good practice in records management will fundamentally help in achieving compliance with the key principles of GDPR by ensuring that personal data is identified, inventoried and proactively managed. It will ensure that the principles of confidentiality, integrity, availability, resilience, retention and disposal are applied to all physical and digital records containing personal data throughout their lifespan.

“Data protection impact assessments will be able to help you with the task of understanding

how you can meet conditions for processing and make your business more accountable

under the GDPR.”

Elizabeth Denham Information Commissioners Office

The ResearchReview your organisations retention policies and update where required.

Meet with Box-itMeet with a Box-it account manager to discuss your GDPR readiness and priorities.

Update RegisterFollowing the informationaudit update your organisationsinformation asset register.

Information AuditDesign and undertake an information audit, specifically including the identification and profiling of personal data.

Secure DestructionArrange secure destructionof physical records no longer required for retention.

Review InventoryReview file/box level inventory in archive, including assignment of destruction review dates.

4

ScanningScan records where digital accessibility will improve response to data subject requests.

Electronic RecordsDetermine strategy for electronic records management.

1 2

3

5 6

8 7

Your GDPR Journey

General Data Protection Regulation

General Data Protection Regulation

There are many areas along your GDPR journey that Box-it can provide assistance. Whether you are just starting out, completed your information audit or ready to arrange secure destruction of physical records no longer required for retention, our services could help.

Review of Retention Policy:Your organisation’s corporate retention policy is an important document. Whilst you will likely have one in place do you know when it was last reviewed and updated? The answer for many organisations asked this question is a long time ago. Retention schedules should be kept up to date, this will help support your organisation’s responsibilities for Article 30 of GDPR ‘Records of Processing Activities’ also known as ROPA.

Information Audit:The information audit is an important task in preparing for GDPR. Article 5 (d) requires that personal data shall be “accurate and, where necessary, kept up to date”. In order to comply you must first identify which information assets contain personal data. To get started choose one department to audit and work your way through your organisation.

Update Asset Register:Once you have completed your information audit the findings will need to be logged within your organisation’s information asset register. If you have yet to create an asset register, Box-it can help. In conjunction with Informu Solutions we are supplying a hosted, subscription-based solution for you to record, maintain and report on your ROPA.

The information recorded will provide you with a re-usable data resource and enable you to perform a number of GDPR compliance activities:

Review Inventory:Accurate, consistent cataloguing is critical for the efficient and compliant management of archive records. Our cataloguing service allows organisations to know what data they have at either file or box level. Our central cataloguing facility is a totally secure environment, closely monitored and with restricted access control, making the service suitable for confidential and sensitive information, including patient records and HR files.

Our highly powerful, yet user friendly web-based archive management system, Omnidox Records Manager (ORM), was developed for tracking archived paper records. It has comprehensive search, retrieval management and reporting functionality. It forces consistent classification, improves accuracy and ultimately drives best practice in records management. Accessed by named user logins, your data is accessible only to authorised personnel. What’s more retention policies can be set at file or box level.

Secure Destruction:Following the creation of an inventory and identification of physical documents that are beyond their retention period or upon receiving an Article 17 GDPR right to erasure (‘right to be forgotten’) request, Box-it provide a secure and auditable destruction service. This can be requested within our ORM platform, meaning you have a full audit trail.

Using the services of a specialist document shredding business such as Box-it, with a proven track record for robust security, reliability and quality procedures, is recommended to reduce any risk of breaching the GDPR.

Our operations meet the requirements of the Environmental Management Standard ISO:14001.

Scanning:The GDPR provides individuals with rights regarding their personal data, this includes the right of access, allowing them to access the personal data you hold about them.

Recital 63 - “A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health... etc.”

The digitisation of data through document scanning helps facilitate data subject requests as data is in a searchable format.

Electronic Records:Article 5 (f) requires personal data to be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

Omnidox, developed and operated by Box-it, is our Cloud based repository for electronic document management which we are proud to say has won multiple storage industry awards. It is user-friendly, very secure and makes your documents accessible to authorised personnel.

Categories of Data Subjects

Gaining Personal Data Insight

GDPR Article 30 Records of Processing

Activities

Purposes of Processing

Update Consent Forms / Privacy Notices

DP by Design and DP Impact Assessments

Update Sharing Agreements

Mitigate / Report Data Breaches

Respond to Data Subject Requests

and Rights

Who Shared with, how and why

Time Limits for Erasure

Protective Measures in place

Categories and Sources of Personal

Data

Storage / Scanning / Shredding / Out-Sourcing

boxit.co.uk0800 220 707 Freephone

sales@boxit.co.uk

Local service, national reachOur knowledgeable, friendly personnel at your nationwide Box-it regional office are on hand to help with those urgent and non-urgent requests, as well as any general enquiries you may have. We are proud of our reputation for excellent customer service. Wherever you are based, Box-it has the facility offering document management solutions within easy reach.

General Data Protection RegulationI

S1

20

11

8

Box-it UK Limited, Winnall Down, Alresford Road, Winchester, Hampshire SO21 1FP Call 01962 830 200 Fax 01962 830 300

© Box-it Data Management Ltd. All rights reserved. Box-it UK Ltd and Box-it Document Solutions Ltd are subsidiaries of Box-it Data Management Ltd. Omnidox is a registered trademark of Box-it Data Management Ltd.