We see these scenes like this every day and perhaps take things for granted or we presume or ignore. We miss the obvious.
Recently I was discussing potential ‘data breach hazards’ in the office with a customer. Explaining how something as basic as an office rubbish bin has a big part to play in data protection.Normally when I mention this there is a pause in the conversation, followed by a realisation as to what I am talking about or just silence and a look of confusion.
I explain, for example, when a member of staff writes down details from a phone call, after the required action is taken – the piece of paper ends up in the bin.
After the 25th May 2018, that will be a data breach.
Here are just a few indicators of a potential data breach in an office…
Did you see them, would your staff?
If you are a business owner and you were to call a company meeting with all your staff and ask them, ‘In your job role, what is important about Friday the 25th May?’ how many of them would know what you are talking about?
How many blank faces would there be in the room? You should try it.
Does the scene look familiar to your working environment? Were you able to identify possible risks? If it’s not clear, we need to talk.
Don’t assume everyone in your organisation knows that GDPR is coming into force in just a matter of months. That could be a very expensive assumption.
Any organisation that records information about ‘people’ needs to know about the GDPR. Having that knowledge is a necessity. It is a business owner and leadership’s responsibility to make sure that everyone in their organisation is aware of the new data protection regulations and good data privacy processes.
One of the main issues we have experienced is lack of awareness by staff and stakeholders of what they need to do in being GDPR compliant. It is a risk you need not take.
So, what can you do about it? How can you assure that your organisation is compliant with the new data protection regulations?
You can employ a Data Protection Officer (for companies over 250 employees or that handle specific information, having a DPO is compulsory).
You and your employees can undertake a training program to further your understanding of what you, your organisation and your stakeholders should be doing to prepare to make sure you are compliant with the GDPR.
The issue of compliance with data protection legislation can be daunting and a structured training solution can simplify what you need to know. It really can be made simple.
Seeking professional advice and using a structured training programme can give you total reassurance. You need to make sure you and the leadership understands the following:
- The GDPR and who it will affect
- Why the GDPR is important to you
- Which person is ‘responsible’ for complying to the new regulations
- How long you can keep client information
- If you have to review the new policy
- If you need a Data Protection Officer
- Why you need to record the data you are collecting including for what purpose they intend to use it
- The recording processes of how you work with data and consideration that you have the right consent from each individual
- Securing data, auditing data and privileged access to this data will also become mandatory
- You will need to inform the relevant supervisory authority within 72 hours of your organisation becoming aware of a data breach
- Discuss GDPR and IT
Protecting your customer, client, beneficiaries or employee’s information is crucial to all organisations. Here are some very typical examples of how your staff could cause a data breach without realising:
- Waste paper in the bin with personal details written on it
- Stolen or lost mobile phones with customer or staff related information on
- Stolen or lost laptop with customer or staff related information on
- Documents left on show on desks
- Stolen or lost USB sticks
- Unlocked filing cabinets
- Old data bases (Excel spreadsheets from tradeshows and so on)
- Hard drives
- Employees sharing customer data on their computers
- Diaries thrown away once out of date
- Bags or brief cases containing laptops or phones being lost or stolen
- Phone numbers for cold calling
- Unencrypted USB sticks, external hard drives or mobile devices
- Cloud data stored in insecure applications or cloud services
- Poor password control
- Poor passwords
- And this one may seem obvious, but we see this so often; usernames and passwords stuck on the front of the screen, in your diary, notebook or even stuck to your notice board in your office
We all love people watching. Next time you are in an airport, in a café, on the train or in other public places – look out for the data breach hazards.
With just over 100 days to go, it’s clear to me that inboxes and forums are becoming drowned in the topic of the GDPR. As experts in our field, it’s frustrating to think that the GDPR noise is blocking information that people really need to know. Our experience and wealth of knowledge have gone into our training products – we look at the big picture. Whilst the existing DPA is there to protect us, there are big changes ahead. Training all stakeholders within an organisation is vital because anyone of them could cause a data breach.