The big data protection story of 2018 was the introduction of the General Data Protection Regulation (GDPR). This sweeping change to EU data protection law, the first in nearly two decades, affected how businesses are allowed to store data and the ways in which they’re required to notify users of data collection.
For the majority of our domestic shredding customers, the introduction of GDPR took the form of a barrage of emails from long-forgotten sites and businesses in the build-up to May 25. Businesses spent much of the year rewriting privacy policies and preparing their systems for the new regulations, as well as carrying out data destruction after May 25 for users who opted to withdraw their consent for these companies to continue holding their data.
Can we expect similar earth-shaking changes in the world of data protection in 2019?
At the time of writing the form, if any, Brexit will take is unclear, so it’s difficult to say for sure what data protection law in the UK will look like. GDPR is an EU law, so technically the UK could stop adhering to it – but given that the EU forbids data-sharing with third countries that do not have “adequate levels of data protection”, this is highly unlikely. If you currently do business with the EU and hold data on European citizens, the best course of action is to continue as though nothing is changing.
Greater public awareness
News stories around data protection law and companies who breach are becoming more abundant, and with that public awareness and concern about data privacy is growing. Usually, these stories focus on serious breaches by enormous companies such as Google, Amazon and Facebook, but that doesn’t mean small and medium-sized businesses should become complacent. Customers and potential partners are becoming more likely to check a business’ reputation for maintaining privacy before working with or buying from them – and with that, they’re becoming more likely to avoid businesses who have a reputation for anything less than total compliance with data protection law.
Sanctions to begin – and grow
Despite GDPR coming into force on May 25, the period since has been one of complaint collection and investigation, rather than punishment. But that’s all set to change, with the first GDPR fines and sanctions set to be imposed in 2019. The maximum fine for a breach of GDPR legislation is €20 million or 4% of a business’ global revenue – whichever is higher – but the initial sanctions aren’t likely to reach that level. If the European courts deem the new regulations aren’t being taken seriously enough, or repeat offences occur, expect punishments to become harsher.
While 2018 was a huge year of change for data regulations (GDPR was the first major change in data protection law since 2000), 2019 isn’t likely to see the same degree of upheaval. What is certain is that conversation and concern about data protection isn’t going anywhere. If your business has been slow to destroy a stock of confidential customer data that you’re no longer allowed to retain, our onsite commercial shredding service can help. Just give us a call and we’ll visit your premises, shredding paper documents, laptops, hard drives, data disks and more onsite, and issuing you with a Certificate of Destruction upon the job’s completion, allowing you to start 2019 confident in your compliance.