Keeping Personal Data Safe and Secure.

If you want to maintain your corporate reputation and have an advantage over your competitors, you’ll want (amongst other things) to keep your customer data safe and secure.  In order to do so, you’ll have internal processes requiring keys and passwords for staff to access particular records; but there’s far more to data security than that.

Every contract of employment should have a clause dealing with confidential information, making it clear what it includes and that it is not just limited to documents marked “confidential”.  Staff should be trained on what amounts to confidential information and how they must protect that information from getting into the hands (accidentally or deliberately) of third parties.

The same advice applies equally to personal data as the seventh data protection principle requires all data controllers to take the appropriate technical and organisational security measures to prevent unauthorised or unlawful processing, accidental loss of or destruction or damage to personal data.  Despite this, we still regularly hear stories in the press when organisations’ computer systems have been hacked and customers’ passwords or financial records stolen.

At present, the International Commissions Office (‘ICO’) can impose fines on organisations which breach data protection legislation of up to £500,000.  However, the new General Data Protection Regulation (which comes into effect on 25 May 2018) will increase the limit on fines up to €20 million or 4% of worldwide turnover (whichever is higher).

But it’s not just the employer who can be penalised.  On two recent occasions, the press has reported how former employees have stolen or attempted to steal personal data when leaving their employer.  In April 2016, David Barlow Lewis pleaded guilty to the criminal offence of attempting to unlawfully obtain personal data when he asked one of his former colleagues at LV= via WhatsApp to sell him customer data. He was fined £300, ordered to pay £614.40 costs and a £30 victim surcharge.

Then in May 2016, Mark Lloyd pleaded guilty to unlawfully obtaining personal data after he had emailed information about 957 of his former clients at Acorn Waste Management Ltd to his personal email address just as he was about to start work at a competitor.  The documents contained personal information such as contact details, purchase history of customers and other commercially sensitive information.  He was fined £300, ordered to pay £405.98 costs and a £30 victim surcharge.  In their press release, the ICO reminded us that “Taking client records that contain personal information to a new job, without permission is a criminal offence”.

Data protection may not be the main topic of water-cooler chat, but the risk of criminal convictions for staff, substantial fines and reputational damage for employers should make training and investing in it a no-brainer for all businesses.

Insights.

Advice for house hunters #SolicitorChat with The Law Society
14th January, 2021

Purchasing a property is likely to be one of the biggest transactions you will make in your life and the process can be complicated. Thomas Healy answered a few questions…

To injunct or not to injunct?
14th January, 2021

The possibility of an immediate costs order on an interlocutory injunction application to enforce restrictive covenants against a former employee, has for some time been a material factor.

Making a Will in 2021 #SolicitorChat with The Law Society
7th January, 2021

2020 produced many unexpected events and Michael Brierley discussed how you can help protect yourself from the unexpected by making a Will with The Law Society and other firms for…

A note from Neale Andrews
5th January, 2021

In line with the latest Government guidance and to ensure the safety of our clients and staff, we are for the greater part operating the firm remotely. However, we have…