12th September 2016
In our ever more computerised world, organisations handle data relating to customers, employees or other individuals on a day-to-day basis. And once it’s in your hands, you must protect it with your corporate life, ensuring that it is kept secure and not used for improper purposes.
And yet, we still regularly hear stories in the press of how unencrypted data has fallen into the hands of unauthorised third parties (perhaps through hacking or employee negligence/misconduct). Reputations which may have taken years to build can be destroyed in a matter of mouse clicks.
If you want to maintain your corporate reputation, you’ll have internal processes requiring keys and passwords for staff to access particular records; but there’s far more to data security than that.
You should place a publicised data protection and confidentiality regime at the heart of your organisation. Firstly, make it clear to staff how they should deal with confidential information, making it clear in contracts of employment what this includes and that it is not just limited to documents marked “confidential”. Staff should then be trained on what amounts to confidential information and how they must protect that information from getting into the hands (accidentally or deliberately) of third parties. By also dealing with personal data in this way, you’ll be complying with the legal requirement to take the appropriate technical and organisational security measures to prevent unauthorised or unlawful processing, accidental loss of or destruction or damage to personal data.
But, I hear you cry, what about the effect of Brexit on how we deal with personal data going forwards? For the time being, nothing will change. However, much will then depend upon our Brexit negotiations and it is highly likely that a condition of doing business with the EU in the future will be our acceptance of various EU rules including the whole (or at least the main substance) of the new EU General Data Protection Regulation which is due to come into force on 25 May 2018.
At present, the Information Commissioner can impose fines on organisations which breach data protection legislation of up to £500,000. However, if the new Regulation does end up applying in full, the limit on fines would be increased to €20 million or 4% of worldwide turnover (whichever is higher).
Data protection may not be the main topic of water-cooler chat, but the risk of substantial fines and reputational damage for employers should make training and investing in it a no-brainer for all businesses.
Sophie Banks considers the use of employee images for marketing purposes under the GDPR and DPA 2018, and what steps an employer should take to prevent complaints of unlawful processing of data in this situation.
Within this edition of Mundays Business update you will find legal articles that we hope you will find useful and help you understand when you might need to seek legal advice.
Fiona Moss examines the approach to exchanging business cards under the EU General Data Protection Regulation (GDPR)