Blog - Chaffinch News

GDPR & Brexit - What Will the Impact Be On Shredding?

Posted on 4th February 2020 in Chaffinch News

Confidential destruction of documentation is a vital part of any organisation’s data protection strategy. Whatever your organisation, be it a law firm or financial services company, a hospital or manufacturing concern, it needs to ensure that data is protected at all times. And that must include how it is securely destroyed.

Important legislation in the UK governing data protection is the Data Protection Act (DPA). Furthermore, there is the EU’s General Data Protection Regulation (GDPR) - undoubtedly a momentous paradigm shift in the regulatory framework regarding data protection.

What was the effect of the GDPR on document shredding? And to what extent will Brexit alter this regime, if at all? We at Chaffinch Shred as a paper shedding service provider feel compelled to provide some insight into these issues.

Brexit Impact On GDPR

The Data Protection Act (DPA)

The UK’s DPA of 2018 clearly stipulates that any organisation must use a data destruction service in order to dispose of any confidential documents which are no longer required. It’s important to note that the aforementioned ICO has the power to carry out a compulsory audit at any business to check that compliance with the Act.

Furthermore, the DPA means business. Any organization which fails to comply with the Data Protection Act can face a fine of up to £500,000 for a serious breach.

The GDPR

GDPR Basics

The General Data Protection Regulation (GDPR) was adopted by the European in April of 2016 and finally came into force on May 25th, 2018. The GDPR affects any business, whatever the size and scope of its business, that:

(1) has a business established in the EU;

(2) offers goods or services to anyone in the EU or;

(3) collects, stores, transfers or uses personal information about EU citizens.

Furthermore, the GDPR encompasses non-EU firms that operate inside EU borders, as well as foreign firms based outside the EU who use the data of EU citizens in any way. This is an especially important point to remember in view of the UK exiting the EU as a Member State.

The Rights of Consumers / Customers / Citizens

The rights of citizens and customers under the GDPR are broad, and include:

  1. the right to obtain confirmation as to whether or not their personal data is being processed, where and for what purpose;
  2. access to their personal data;
  3. demanding the correction of errors in their personal data;
  4. the right to have their personal data erased and refuse to have their personal data processed (i.e., the ‘right to be forgotten’); and
  5. the right to receive a copy of any personal data stored and transfer that data to another vendor/controller (known as ‘data portability’).

Organisational Requirements

Organisations are expected to implement appropriate policies to protect personal data, as well as keep detailed records regarding data-related processes. The GDPR expressly stipulates that any organisation is liable of a data breach that leads to an EU resident’s information being stolen or in any way misappropriated.

Penalties for breaches of GDPR can include monetary penalties of 2% up to 4% of the company’s total worldwide annual turnover or up to 20 million Euros, whichever is the greater.

What About Brexit?

To what extent will Brexit affect data protection here in the UK and compliance to the GDPR by UK companies? Unsurprisingly perhaps, there are conflicting views on this.

Brexit = No Difference

There are those pundits who believe it will make no difference. They cite how, even with a potential ‘no-deal’ Brexit, the UK Government stressed in early 2019 that, “there will be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it”.

Brexit = Significant Difference

Then there are those pundits who believe Brexit’s impact on data security issues could be a lot more complicated than what the UK government declared. They cite how the UK could become known as a ‘third country’ under EU law, and, therefore, would need to prove what is known as its ‘adequacy status’. That means the UK would need to demonstrate to the EU that the UK is a ‘safe harbour’ for data protection and not be subject to restrictions on data transfers by the EU.

The 2018 DPA should assist in granting UK that status, should it come to that. However, there are those that caution that the UK’s controversial Investigatory Powers Act (IPA) of 2016 could be problematic, in that the European Court of Human Rights (ECHR) has condemned the IPA for being too heavy-handed and violating the privacy of citizens.

The Bottom Line On Brext & GDPR

The truth is, no one can know for sure what will be the outcome of the data protection regime in a post-Brexit UK, even for years to come. Nevertheless, the bottom line is this: irrespective of the UK’s post-Brexit relationship with the EU, any UK company with business dealings with EU residents will need to adhere to the GDPR. And that will mean the proper paper disposal of confidential data.

Proper shredding by a reputable shredding company such as Chaffinch Shred can help your organisation protect its intellectual property, sensitive commercial information and brand reputation. Corporate espionage is no joke and nor is a lawsuit or massive fine due to a breach of a customer’s data privacy.

Consider high-grade shredding a form of intelligent security, whether for business or home, and whatever the outcome of a post-Brexit UK.

Ready to book your shredding?