How many data exposure risks can you see in this picture?

GDPR & Employees

Take a look at the below. Can you see a potential data breach?

Hopefully, you can see quite a few, from the paper in the waste bin, the open files on the desk, through to the person on the telephone who may be taking client notes and leaving them exposed.

When I talk to my clients and prospects, I am still amazed at how many of them don’t know anything about the upcoming daata protection changes with the GDPR – the new data regulations that come into force on the 25^th May and I explain to them that it is essential they know about the big changes in data protection.

People are aware of the DPA (Data Protection Act) but the GDPR is bigger and better to help protect a person’s digital existence online. If you don’t comply with the new regulations, the fines will be a lot more. Customers are trusting you with their data, and you need to make sure you look after it properly.

Currently, the maximum fine the ICO can charge is £500,000. When the GDPR comes into force the maximum fine is £17M or up to 4% of global company turnover,

As business owners, we should be aware of potential data breaches. Not just in the working environment but for employees that work remotely.

Employee Awareness

How many of your employees are aware of the data protection changes ahead? If you were to ask them what would they say?

You should try it. It could prove to be a valuable exercise.

Do they know that they can’t put a piece of paper in the bin that contains the name and address of a person? Do they leave files containing personal information sitting on their desk? Do you write people’s contact details in your diary or share other people’s business cards?

It’s simple things like that…

After the 25^th May 2018, those actions could result in a potential data breach.

The key thing to remember is:

Any organisation that records information about ‘people’ needs to know about the GDPR and having that knowledge is a necessity. It is a business owner and leadership’s responsibility to make sure that everyone in their organisation is aware of the new data protection regulations and good data privacy processes

What can you do ?

Know your data, know where it is and know what to do if there is a data breach.

How can you assure that your organisation is compliant with the new data protection regulations?

You can employ a Data Protection Officer (DPO) and for companies over 250 employees or companies that handle specific information, having a DPO is compulsory.

You and your employees can undertake a training program to further your understanding of what you, your organisation and your stakeholders should be doing to prepare to make sure you are compliant with the GDPR.

Seeking professional advice and using a structured training programme can give you total reassurance. You need to make sure you and the leadership understands the following:

The GDPR and who it will affect
Why the GDPR is important to you
Who is ‘responsible’ for complying to the new regulations and ensuring ongoing compliance
How long you can keep client information
If you have to review the new policy
If you need a Data Protection Officer
Why you need to record the data you are collecting including for what purpose they intend to use it
The recording processes of how you work with data and consideration that you have the right consent from each individual
Securing data, auditing data and privileged access to this data will also become mandatory
You will need to inform the relevant supervisory authority within 72 hours of your organisation becoming aware of a data breach
Discuss GDPR and IT, although data protection is a Business Issue, not an IT issue, IT plays an important part in the process.

Protecting your customer, client, beneficiaries or employee’s information is crucial to all organisations.

Here are some typical examples of how your staff could cause a data breach without realising:

Waste paper in the bin with personal details written on it
Stolen or lost mobile phones with customer or staff related information on
Stolen or lost laptop with customer or staff related information on
Documents left on show on desks
Stolen or lost USB sticks
Unlocked filing cabinets
Old data bases (Excel spreadsheets from tradeshows and so on)
Hard drives
Employees sharing customer data on their computers
Diaries thrown away once out of date
Bags or brief cases containing laptops or phones being lost or stolen
Phone numbers for cold calling
Directories
Unencrypted USB sticks, external hard drives or mobile devices
Cloud data stored in insecure applications or cloud services
Poor password control
Poor passwords
And this one may seem obvious, but we see this so often; usernames and passwords stuck on the front of the screen, in your diary, notebook or even stuck to your notice board in your office

Next time you are in an airport, in a café, on the train or in other public places – look out for some data breach hazards. Has someone left their laptop unattended, have they dropped a USB stick or left their mobile phone on the seat?

It is vital for me as a business owner to be completely up to date with all the GDPR developments. As experts in our industry, we are very aware, and have seen real life examples, of the catastrophic effect of a cyber crime or a data breach.

We can help you reduce the risk. Let me know if we can help, always happy to have a chat even just to advise.

Read more about the ICO and the GDPR

The ICO, GDPR & Data Protection in Numbers

Some interesting facts and statistics on the ICO for the last couple of years. Leading up to the GDPR implementation in the next few months time, the fines are going to increase and every business should be aware of whats upcoming.

The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

During 2016/2017 the ICO issued fines topping £3.5 million under the Data Protection Act and Privacy of Electronic Communication Regulations. (1)

The ICO dealt with a record 20,919 data-protection complaints and self-reported incidents across all sectors in that time span to 31st March, a rise of 14% on the previous 12 months. (2)

Data published by the ICO in May 2017 for 2016/17 revealed:

The ICO dealt with a record 20,919 data-protection complaints and self-reported incidents across all sectors in the year to 31st March, a rise of 14% on the previous 12 months
In 2016/17 the ICO was alerted to 2,565 breaches of data-protection law by the organisations involved, an increase of 31.5% on the year before
Of those breaches, 4% – approximately 103 cases – involved charities, making charities the sector with the joint fifth-highest proportion of self-reported incidents, alongside solicitors and policing
Charities were responsible for 4% of the self-reported data-protection incidents that were handled by the ICO in 2016/17
The health sector accounted for 41% of self-reported incidents, local government accounted for 11%, general business for 9% and education for 6%
The ICO finished dealing with 2,445 self-reported incidents in 2016/17 and handed out monetary penalties in 17% of cases
In 1,680 cases no action was required, in 638 cases the data controller was required to act and in 68 cases an improvement plan was agreed between the ICO and the data controller
In a statement, the ICO said it had become easier for organisations and the public to alert the regulator to concerns because of its new live chat services and online reporting tool for the public and new self-assessment tools for organisations

The ICO also published statistics about the number of issues it had dealt with in relation to marketing and nuisance calls across all sectors. It received 167,018 complaints about marketing that broke the Privacy and Electronic Communications Regulations 2003 and handed out a record 23 fines, totalling more than £1.92m, for what it called “a range of unlawful marketing activities”. (3)

Since January 2017 the ICO have kept us informed of the developments leading up to the new General Data Protection Regulation (GDPR) enforcement which is due on 25^th May 2018.

January 2018 – Most recently, there has been more information added about ‘personal data breaches’.
December 2017 – The ICO published detailed guidance on ‘children and the GDPR’, ‘lawful basis for processing’ and ‘rights’ related to automated individual decision making including profiling. The Article 29 Working Party published guidance on ‘consent’ and ‘transparency’ and guidelines on ‘breach notification and automated decision making’.
November 2017 – The Article 29 Working Party published guidelines on ‘imposing administrative fines’. They replaced the ‘Overview of the GDPR’ with the ‘Guide to the GDPR’. There was an extended section on ‘consent’, ‘contracts and liabilities’.
October 2017 – The Article 29 Working Party published the ‘breach notification’ and ‘automated individual decision making and profiling’. In addition to that, guidelines on ‘administrative fines’ and updated the ‘automated decision making and profiling’.
September 2017 – The ICO put out for consultation the draft GDPR guidance on ‘contracts and liabilities for controllers and processors’.
July 2017 – In the ‘Key areas to consider’ they updated the next steps in regard to the ICO’s ‘consent’ guidance and the Article 29 Working Party’s Europe-wide ‘consent’ guidelines.
June 2017 – Added guidelines on ‘high-risk processing’ and ‘data protection impact assessments’.
May 2017 – Updated the ‘GDPR 12 steps to take now’ document. Added a ‘getting ready for the GDPR checklist’ to the self-assessment toolkit.
April 2017 – Published the ‘profiling’ discussion paper for feedback.
March 2017 – Published the draft ‘consent’ guidance for public consultation.
January 2017 – Published the guidance for ‘data portability’, ‘lead supervisory authorities’ and ‘data protection officers’.

Find out the full details on the ICO’s ‘What’s new?’

ICO fee and registration changes for 2018

As the countdown continues to the implementation of the GDPR taking effect in May this year, the ICO are notifying businesses about the change in fees. Under the current Data Protection Act (DPA), organisations that process personal information are required to notify with the ICO as data controllers (unless an exemption applies). This involves explaining what personal data they collect and what they do with it. They are also required to pay a notification fee, based on their size, of either £35 or £500.

Find out more about the new ICO fee changes here.

Tag : ICO

Three reasons your own people are more dangerous to your business than hackers – Insider Threat

The Unwitting Enemy Within

The GDPR and Data Retention

About us

Navigation

Get in Touch

Tags