If your business has been following the ICO’s 12 point GDPR plan as detailed in previous issues of the eBulletin, you will already know you need to think about the personal data you hold within the business and how it is kept secure.
Breaches by individuals can attract not just fines but criminal convictions as was seen recently when a recruitment manager who sent out 26 CVs to an external recruitment agency without consent from the data subjects was prosecuted at Birmingham magistrates court under Section 55 of the Data Protection Act. He pleaded guilty and picked up a £994 fine (including costs and a victim surcharge).
If your business wants to avoid such prosecution, you do need to make sure that there are systems in place and that members of staff have a good understanding of how to treat personal data.
Simple and practical actions could include moving filing cabinets of customer invoices to a locked room so that unauthorised people cannot wander in and gain access to files, requiring staff to sign regular memos reminding them not to leave their work ipad unattended and making sure any third party information processors are fully aware of the GDPR.
Your company should start to liaise with any third parties who hold or process your company data since, if you give them personal data, the onus is on your company to ensure the data secure is kept secure and only used for purposes for which consent has been freely given. Some third party organisations are already taking action, for example working towards the ISO27001 qualification, part of the ISO27000 family setting out international standards for keeping information assets secure.
Further articles on GDPR will appear in future issues of the eBulletin.