Data collection in advance is prohibited!
70% of all important data is still on paper – and often simply ends up in the trash. Data protection? No such thing! What is often overlooked: The provisions of the GDPR also apply to personal data on paper. Your existing documents must also comply with the GDPR requirements.
GDPR
The General Data Protection Regulation (GDPR) has expanded all previous data protection principles since May 25, 2018. For companies that process personal data of EU citizens, this date was the deadline for implementing the new requirements. In addition, with the introduction of ISO/IEC 21964 in 2018, data destruction was also internationally standardized.
Data leak: strip cut
Do you still shred strips?
Simply tearing up documents containing personal data or shredding them into wide strips is no longer sufficient. These must be protected in full compliance with GDPR and DIN standards.
The solution: destroy personal data in compliance with GDPR and DIN standards.
This is best achieved with an IDEAL document shredder with security level P-4 or P-5 – this is also recommended by DIN 66399. Security level P-4 is suitable for paper documents containing particularly sensitive data, such as payroll slips, personnel data, balance sheets, and tax documents. For confidential data, such as balance sheets, profit and loss statements, strategy papers, or medical records, P-5 is the correct security level.
Data leak: Waste disposal company
What if data protection falls by the wayside?
Do you regularly have to dispose of large quantities of documents? It may sound tempting to have someone else take care of the hassle and responsibility for you. However, this doesn't guarantee absolute security.
The solution: Shred yourself with IDEAL document shredders.
No large collection points, no long transport routes, no uncontrolled intermediate stations: When you destroy confidential documents yourself, these risks are eliminated. High-quality IDEAL high-capacity document shredders operate for many years – the investment quickly pays for itself. Violations of the GDPR can result in fines of up to €20 million or up to 4% of global annual turnover.
Data leak: mailbox and desk
End of work for data spies.
In the office, many documents cross the desk every day – including those containing sensitive data. What happens to them at the end of the day?
The solution: Introduce a clean desk policy.
The foundation of a clean desk policy is a fixed system for paper documents. Encourage your employees to file all documents properly at the end of the day, lock away confidential documents, and destroy documents that are no longer needed. With an IDEAL desktop shredder, this is a breeze.
Data leak: hard drive
Destroy old data storage devices, not your reputation.
Old hard drives are an open book for tech-savvy "finders" – even if they've been overwritten. Once disposed of, you can no longer verify where your old storage devices actually end up, or what happens to their contents.
The solution: Make old data storage devices unusable.
Whether you need to replace an outdated or defective hard drive or return a loaner device: With the IDEAL hard drive hole punch you can destroy your electronic data safely, conveniently and reliably.
Guide: The data protection requirements and obligations of the GDPR
Things to know about the EU General Data Protection Regulation (GDPR)
The European General Data Protection Regulation expands existing data protection principles and is valid throughout the EU. All companies that process personal data of EU citizens have been required to comply with the new requirements since May 25, 2018. The tightening of data protection regulations has also increased the sensitivity of processing and using personal data on paper.
What are personal data?
This includes all information about the personal or factual circumstances of a specific or identifiable person, e.g., name, address, marital status, pension/health insurance number, professional qualifications, salary information, tax class, certificates, expert opinions, file notes, diagnoses, and much more.
What new, expanded data protection obligations are associated with the GDPR?
The responsible project team is tasked with analyzing inefficient processes. This is important for optimizing existing workflows within departments. Unproductive processes impact performance and distract employees from more important activities. A step-by-step identification and analysis of business processes is useful here. A good starting point is to review a specific business area, such as the human resources department.
What new, expanded data protection obligations are associated with the GDPR?
Principle of data minimization (Chapter 2, Article 5 GDPR)
The general rule is that personal data must be collected sparingly and may only be processed if it
• are appropriate for the purpose and
• are relevant and substantial for the purpose.
In general, data collection in advance is prohibited.
For the selected data categories, please also note:
Personal data must be collected and processed in a way that is appropriate for the stated purpose, but not beyond that.
When collecting personal data, the controller must limit himself to the information necessary for the purpose.
Duty to provide information and right to information (Chapter 3, Article 13, Paragraph 1 GDPR)
In general, there must be a legitimate reason for the use and processing of personal data. When personal data is collected, the controller must provide and ensure complete documentation regarding the purpose, duration, storage, and deletion.
Right to be forgotten (Chapter 3, Article 17, paragraphs 1 and 2 GDPR)
The data subject may request that their personal data be deleted. This obligates the controller to delete all collected data promptly and completely. Furthermore, it must ensure that any links to the personal data or copies are irrevocably destroyed. Exceptions are defined in paragraph 3.
Right to data portability (Chapter 3, Article 20 GDPR)
The data subject may request that his or her personal data be transferred to him or her in a structured, commonly used and machine-readable format.
Right to object (Chapter 3, Article 21 GDPR)
The data subject has the right to object to the processing of personal data concerning him or her.
Security of processing (Chapter 4, Article 32, paragraphs 1 and 2 GDPR)
The controller and the processor must take appropriate technical and organizational measures to protect natural persons.
The effectiveness of the technical and organizational measures must be regularly reviewed, assessed and evaluated.
Appointment of a data protection officer (Chapter 4, Article 37 GDPR)
There is a Europe-wide obligation to provide a company data protection officer.
Responsibility of the controller (Chapter 4 GDPR)
According to the Federal Data Protection Act, the person who collects information is responsible for its protection throughout its entire lifecycle. The controller and the processor are therefore liable for any material and immaterial damages incurred by the data subject. This responsibility for this data cannot be transferred to third parties. This also applies, among other things, to the outsourcing of destruction contracts to external service providers. (Chapter 8, Article 82 GDPR)
Notification of personal data breaches to the supervisory authority (Chapter 4, Article 33, paragraph 1 GDPR)
In the event of a personal data breach, the controller is obliged to report the incident to the competent supervisory authority without undue delay and, if possible, within 72 hours (Chapter 6, Article 51).
Increased fines (Chapter 8, Article 83, paragraphs 4 and 5 GDPR)
The general sanctions for violations of the regulations have been significantly tightened. A fine of up to EUR 20 million or up to 4% of the previous year's worldwide turnover can be imposed by the competent supervisory authority.
Further information on the EU General Data Protection Regulation can be found at:
https://www.datenschutz-grundverordnung.eu/
SN / 09.02.2018
