January 3, 2019 Governing data security
At the beginning of 2018 the business advice columns were awash with articles about the new general data protection regulations (GDPR) which were due to come into force in May of that year. Some businesses were already well ahead in their preparations whilst others had yet to get to grips with the changes required to data management. In the meanwhile so many rural myths had grown up about what the new GDPR regulations would mean in practice that the Information Commissioner’s Office (ICO) were issuing a myth-busting series of posts.
One year on and the hype may have died down but the GDPR regulations are very much now in force. As with so many other initiatives this then is the danger time, a period in which other regulations and concerns can take precedence unless a GDPR mindset has been firmly embedded in the business culture.
Let’s take one of the fundamental planks of the GDPR regulations as an example, the requirement to maintain data security. In its assessment guidance for small businesses and sole traders the ICO lists four questions which businesses should explore when judging if they meet the data security requirement. These cover the security of paper and electronic records both in the office and when transferred elsewhere. So paper records should be kept in lockable filing cabinets, transferred by secure methods and disposed of in a secure manner when no longer required.
Similarly, in order to maintain the security of electronic records computers should be locked or logged off when individuals are away from their desks, the use of appropriate passwords should be considered and mobile devices should be encrypted. Data back-ups should also be carried out in a secure manner.
Precautions such as these will only become part of the everyday life of the business if the direction and leadership comes from the top. And indeed, data security should be integral to a director’s duties, having regard to the requirement to act with reasonable care, skill and diligence as well as to maintain a high standard of business conduct.
However it appears that there is some way to go before a GDPR is fully embedded in business life. A recent survey by Probrand has revealed that 64% of workers admitted to transferring customer emails to their personal email accounts in order to facilitate out of hours working. The workers may have had the best of intentions but in doing so they and their organisations were in breach of GDPR regulations. It’s a wake-up call for businesses to take another look at their day to day practices. As the ICO were at pains to make clear in 2018; GDPR work didn’t stop on May 25th 2018, it is an ongoing process which should guide data management practices in businesses into the future.
