If you want to maintain your corporate reputation and have an advantage over your competitors, you’ll want (amongst other things) to keep your customer data safe and secure. In order to do so, you’ll have internal processes requiring keys and passwords for staff to access particular records; but there’s far more to data security than that.
Every contract of employment should have a clause dealing with confidential information, making it clear what it includes and that it is not just limited to documents marked “confidential”. Staff should be trained on what amounts to confidential information and how they must protect that information from getting into the hands (accidentally or deliberately) of third parties.
The same advice applies equally to personal data as the seventh data protection principle requires all data controllers to take the appropriate technical and organisational security measures to prevent unauthorised or unlawful processing, accidental loss of or destruction or damage to personal data. Despite this, we still regularly hear stories in the press when organisations’ computer systems have been hacked and customers’ passwords or financial records stolen.
At present, the International Commissions Office (‘ICO’) can impose fines on organisations which breach data protection legislation of up to £500,000. However, the new General Data Protection Regulation (which comes into effect on 25 May 2018) will increase the limit on fines up to €20 million or 4% of worldwide turnover (whichever is higher).
But it’s not just the employer who can be penalised. On two recent occasions, the press has reported how former employees have stolen or attempted to steal personal data when leaving their employer. In April 2016, David Barlow Lewis pleaded guilty to the criminal offence of attempting to unlawfully obtain personal data when he asked one of his former colleagues at LV= via WhatsApp to sell him customer data. He was fined £300, ordered to pay £614.40 costs and a £30 victim surcharge.
Then in May 2016, Mark Lloyd pleaded guilty to unlawfully obtaining personal data after he had emailed information about 957 of his former clients at Acorn Waste Management Ltd to his personal email address just as he was about to start work at a competitor. The documents contained personal information such as contact details, purchase history of customers and other commercially sensitive information. He was fined £300, ordered to pay £405.98 costs and a £30 victim surcharge. In their press release, the ICO reminded us that “Taking client records that contain personal information to a new job, without permission is a criminal offence”.
Data protection may not be the main topic of water-cooler chat, but the risk of criminal convictions for staff, substantial fines and reputational damage for employers should make training and investing in it a no-brainer for all businesses.