The dust may have settled after the upheaval of 25th May 2018 and start of the General Data Protection Regulation (GDPR), but now is no time to rest on your laurels as the task to protect personal data is ongoing. Here are some tips to help your company remain GDPR compliant.
Keep staff aware
Remind employees on a regular basis about the importance of protecting personal data and the company’s security policy, either via regular training sessions or email reminders. In a general office environment staff should be aware of the correct process to dispose of confidential papers, not to disclose personal information over the phone, keeping passwords secure and taking care when opening emails and attachments to prevent a virus attack.
Make sure that there is a clear process in place for detecting, investigating and internally reporting potential data breaches. Staff should be aware of this and the importance of reporting breaches quickly, as certain types of data breaches must be reported to the Information Commissioner’s Office (ICO) within 72 hours of the company becoming aware of them.
Minimise data breach risks
A breach of personal data is a security breach which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data. As a result, many potential breaches arise from human error and a few simple steps could prevent an accidental breach:
* Turn off auto-fill on email addresses to cut down on the risk of an email with personal data being sent to the wrong recipient.
* Enable Blind Carbon Copy (BCC) by default on group emails.
* Consider using encryption technology on mobile work devices such as laptops, so that if they are lost or stolen it is unlikely that anyone could break in and access their data.
* Make sure confidential paperwork is disposed of in a secure way either by using a cross shredder or a secure disposal service.
Appoint a Data Protection Officer (DPO)?
It is not necessary for every company to appoint a DPO but it is necessary for a company to have enough staff and resources to meet its obligations under GDPR. Depending on the company’s situation and size, it may be preferable to employ or designate an existing employee as a DPO as part of a robust data compliance policy. A DPO could provide regular data protection training to staff, audit data processing and conduct regular risk assessments to find any potential problems with the company’s security system. It is also their role to maintain a data breach register.
Cooperate with the ICO
Should the worst happen and there is a data breach; act quickly to contain it, investigate and assess the risk to the rights and freedoms of those affected by the data breach. If the data breach is serious enough that it needs to be reported then make sure that the ICO is notified within 72 hours of the breach being discovered. Even if the full investigation is not finished it is better to notify the ICO and update them with information when it is available than to leave it, as failure to notify the ICO of a serious breach could result in a fine of up to 10 million euros.
If the risk is assessed as not impacting on the rights and freedoms of those affected and you decide not to inform the ICO, this decision needs to be justified and documented.