Keeping Personal Data Safe and Secure.

By Andrew Knorpel on 16th June 2016

If you want to maintain your corporate reputation and have an advantage over your competitors, you’ll want (amongst other things) to keep your customer data safe and secure.  In order to do so, you’ll have internal processes requiring keys and passwords for staff to access particular records; but there’s far more to data security than that.

Every contract of employment should have a clause dealing with confidential information, making it clear what it includes and that it is not just limited to documents marked “confidential”.  Staff should be trained on what amounts to confidential information and how they must protect that information from getting into the hands (accidentally or deliberately) of third parties.

The same advice applies equally to personal data as the seventh data protection principle requires all data controllers to take the appropriate technical and organisational security measures to prevent unauthorised or unlawful processing, accidental loss of or destruction or damage to personal data.  Despite this, we still regularly hear stories in the press when organisations’ computer systems have been hacked and customers’ passwords or financial records stolen.

At present, the International Commissions Office (‘ICO’) can impose fines on organisations which breach data protection legislation of up to £500,000.  However, the new General Data Protection Regulation (which comes into effect on 25 May 2018) will increase the limit on fines up to €20 million or 4% of worldwide turnover (whichever is higher).

But it’s not just the employer who can be penalised.  On two recent occasions, the press has reported how former employees have stolen or attempted to steal personal data when leaving their employer.  In April 2016, David Barlow Lewis pleaded guilty to the criminal offence of attempting to unlawfully obtain personal data when he asked one of his former colleagues at LV= via WhatsApp to sell him customer data. He was fined £300, ordered to pay £614.40 costs and a £30 victim surcharge.

Then in May 2016, Mark Lloyd pleaded guilty to unlawfully obtaining personal data after he had emailed information about 957 of his former clients at Acorn Waste Management Ltd to his personal email address just as he was about to start work at a competitor.  The documents contained personal information such as contact details, purchase history of customers and other commercially sensitive information.  He was fined £300, ordered to pay £405.98 costs and a £30 victim surcharge.  In their press release, the ICO reminded us that “Taking client records that contain personal information to a new job, without permission is a criminal offence”.

Data protection may not be the main topic of water-cooler chat, but the risk of criminal convictions for staff, substantial fines and reputational damage for employers should make training and investing in it a no-brainer for all businesses.

Insights.

Need to Make/Update your Will?
30th March, 2020

In these difficult times individuals are recognising the importance of either making or updating their Wills, particularly those who are self-isolating.

Coronavirus Job Retention Scheme and Furlough Leave
27th March, 2020

The Government announced on 20 March 2020 that the state will subsidise employers to pay 80% of the wages of staff who are placed on “furlough” leave but remain employed,…

A note from Neale Andrews
27th March, 2020

These are perhaps some of the most challenging circumstances we have faced as a firm in our 60 year history. We are doing absolutely everything we can to protect our…

Combatting Covid-19 for Commercial Tenants
26th March, 2020

The pandemic is causing huge socioeconomic repercussions and the UK commercial property sector is not immune. So what is going to happen to property-overheads or running costs of commercial premises…