The General Data Protection Regulation will be effective as of 25 May 2018 and businesses that breach it might be fined up to 4% of annual global turnover or €20m, whichever is the greater. Here’s what you need to know about GDPR
GDPR: How your business should deal with personal data
The GDPR is a piece of legislation with some tricky technical aspects, so you could be fooled into thinking that it’s only relevant for those who are experts in data privacy.
Unfortunately, this couldn’t be further from the truth. Protecting personal data is relevant for everybody involved in a business, and for all sizes of business – from sole traders and charities right up to the biggest corporations.
Have you ever stopped to think about how much data you deal with every day, maybe even without realising? Article 5(f) of the GDPR says the following: “[personal data shall be] processed in a manner that ensures appropriate security.”
It’s no longer enough to keep your fingers crossed. Let’s take a look at a typical day in the life of a regular employee and, with regard to the above, see just some of where the gotchas for data protection lie. This isn’t an extensive list, of course, and that’s perhaps the most important takeaway here – data protection is an ongoing process that must be considered every minute of every day.
Morning commute: 7am to 9am
Who hasn’t checked their work email on the morning commute? Some people start to deal with their emails even before climbing out of bed.
Email is one of the key ways personal data gets into or out of a business. If you’ve even a few emails in your inbox then you’ve amassed a surprising amount of personal data and this is a perfect example of how even businesses that claim to be immune from the GDPR simply aren’t – and cannot be. It also demonstrates the pervasiveness of personal data within a business.
Checking email from your phone can present security risks when it comes to hack attacks that represent an obvious data breach potential. If you find yourself with a message within your mobile phone’s email inbox that looks questionable then it might be best to wait until you get to the office before opening it on your desktop computer (assuming it isn’t clearly something that should be deleted, of course).
Mobile phones simply don’t have the same kind of mature and evolved security measures as desktop computers, which typically have antivirus apps installed along with malware and phishing protection.
It isn’t just technology that presents data protection challenges on the commute. Watch what you’re saying within calls and how loudly you’re speaking. There could be people listening nearby who could overhear any sensitive discussions that may be classified as personal data. Watch out too for nosey parkers, who peer at your screen when you’re sitting next to them.
In the office: 9am to 5pm
Most office jobs involve handling or transferring personal data in some way, and therefore data protection and the requirements of the GDPR must be considered at all times.
Let’s say a colleague across the office asks you to pass them some files. These files contain personal data and are too big to email. In many offices, it’s natural to reach for a USB memory stick and pass around data that way. But this opens up a serious security hole.
There’s nothing wrong with using USB memory sticks as such but you’ll need to ensure the data is encrypted with a password before you transfer. This should mean that if the USB stick is lost or stolen then nobody will be able to access the data on it.
How about if you’re working with a third-party company and they request you send them some data? In the first instance, you need to question whether there’s a lawful reason for sending the data to the first party. You should also wait until you are positive your business has a contract or signed non-disclosure agreement with them.
If transferring files to an approved third party, again you must use a secure file transfer solution when sharing sensitive information. And don’t forget that long email chains you might forward could contain data from previous correspondence that again might be considered personal data.
When working with third parties both you and they will probably have to document your measures to comply with the GDPR as part of the new record-keeping requirements.
Got old files or reports? Archive or delete them as appropriate if no longer needed (or establish another lawful reason for continuing to process the data). And remember that if you’re using personal data for which consent was given for a particular purpose, you can’t then use it for something else unless you get fresh consent.
You might need to ensure the data is correctly destroyed – for example, if you receive a request from an individual for this to happen – and this can be a challenge in itself. For example, data simply deleted from a computer’s hard disk can stick around in a way that can be recovered.
The secure delete function of your computer’s operating system might offer a solution but if the data is on removable storage such as a CD/DVD, or even on a hard disk dedicated to the purpose of transferring data, then you will need to look into secure physical destruction methods.
Heading home: 5pm to 7pm
Before walking out of the office, be careful not to leave your laptop open or PC screen visible. Remember to lock your system’s screens when leaving them unattended in the office, or shut down fully at the end of the day before heading home.
Get into the habit of leaving your desk clear every evening, which can involve locking away paperwork that contains personal data. If you don’t need personal papers anymore, shred them or put them in a secure locked shredding bin. Watch out for accidentally leaving any personal papers or computer equipment on cafe tables, train seats, and so on.
While on the evening commute on the train, or in transit to any location, think twice before connecting to non-secure wi-fi networks. If you’re planning to access personal data, consider using a VPN (Virtual Private Network), which encrypts data even if it is flowing through a potentially unsecured network. This should have its “endpoint” at your business premises to ensure maximum data security.
More help to protect personal data
Need more help on getting your business ready for GDPR? Our Sage Business Experts have shared their experiences of preparing for the new legislation and have shared some tips.