Home/Blog/What’s the best way to demonstrate GDPR compliance?

What’s the best way to demonstrate GDPR compliance?

All businesses and processors of personal data in the UK need to operate within the scope of GDPR.

While there isn’t an official GDPR certification your business can work towards, it’s still important that you can demonstrate compliance on request. Article 5 of the UK GDPR states that personal data must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes“. It also states that personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed“. This means, if you no longer need the data, it should be anonymised or destroyed. No holding onto it for reasons unrelated to its initial processing or “just in case”.

That means developing policies and procedures for handling confidential data, including disposing of documents that are no longer needed. Your firm could face significant fines if it’s found to be handling confidential data in the wrong way or failing to securely dispose of it when it’s no longer needed.

So, how can your business demonstrate GDPR compliance?

The Information Commissioner’s Office (ICO) is responsible for enforcing GDPR in the UK. It has many resources online to assist your business with GDPR compliance. First and foremost, we would advise getting a strong Data Retention Policy in place. To do this, you need to:

  • Identify what data and information your business processes.
  • Decide how long you need to keep the data before deletion and destruction. Note that some statutory retention periods may apply.
  • Create a data retention policy and a data destruction schedule.

This policy could cover things like:

  • Personal information about potential customers
  • Personal information about existing customers
  • Applicant CVS and cover letters
  • Unwanted accounts, records, and receipts
  • Employee notebooks
  • Personnel files

By creating a centralised Data Retention Policy that all staff can look to for guidance, you simplify information destruction for your entire workforce.

You should also develop and document policies, procedures, compliance measures and external controls that dictate how and why you process personal information. By recording your approach to data protection and what you will do in terms of working processes, you can demonstrate that you are complying with the GDPR.

Your policies and procedures should cover what data you need, how you will collect it, how you will process and store it, how long you’ll hold it for, and how you’ll dispose of it at the end of its life.

What to do when documents are no longer needed?

Your business needs to consider how you’ll get rid of paper records that contain confidential data. These might include printed customer records, customer correspondence, supplier or customer registration forms, records of conversations, and other documents. Remember, this may not just be print-outs and archive files. It could also include things like employee notebooks, sticky notes, and shared wall calendars. Wherever and however you’ve recorded confidential information on paper, you need to make sure those records are disposed of. This will prevent them from being accessed by unauthorised parties. To keep documents that you no longer need safe, even before destruction, you may also wish to invest in a confidential waste bin for your workspace.

A scheduled data destruction service from a specialist firm like Shred Station could form an important part of your approach and be written into your policies and procedures. For instance, you might determine that all unwanted paper records could be collected and destroyed every month. Evidence that this had taken place, such as certificates of destruction, could then be used to demonstrate GDPR compliance. This completes the audit trail for your confidential paperwork.

We offer a scheduled collection and shredding service to help companies stay on top of their data destruction obligations. To learn more, visit our page on regular shredding. We also offer one-off and ad-hoc services for businesses who only require occasional clear-outs.