GDPR (General Data Protection Regulation)
After four years of preparation and debate the GDPR (General Data Protection Regulation) was finally approved by the EU Parliament on 14 April 2016. It will enter in force 20 days after its publication in the EU Official Journal and will be directly applicable in all members states two years after this date. Enforcement date: 25 May 2018, at which time, those organizations in non-compliance will face heavy fines.
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.
What does this mean for physical data security?
Those holding data relating to individuals are obliged to secure personal data in a manner that takes account of the potential risks and these rights apply to all computer held data and all manual records created after 2003.
To put it another way, if your organisation holds information on individuals, regardless if that information is held in physical files or in a digital format, it must be secured.
For physical data this means that any data related to individuals, held by a business or organisation, must be secured from the most obvious risks of unauthorised access and burglary.
In order to address these risks adequately under European regulations a data safe or cabinet, that is certified for the potential risks specific to the location, must be in place and access to it must be restricted and recorded.
Under GDPR, organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records secure and in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting an impact or risk assessment.
Certified data protection safes and cabinets come in a wide range of types so its important to get advice from a company with proven qualification in this area to select the right solution.
Data Protection safe and cabinet types
Data cabinets to EN 1047-1
Diskette inserts for installation into a data cabinet of protection class S 60 P and S 120 P, to EN 1047-1
Data containers to EN 1047-2
Data room to EN 1047-2
P Suited for heat sensitive paper documents with stress limits up to 170°C
D Suited for heat and humidity sensitive data media with stress limits up to 70°C and 85% air humidity
DIS Suited for heat and humidity sensitive data media with stress limits up to 50°C and 85% air humidity