The countdown to GDPR (European General Data Protection Regulation) continues. Its aim is to strengthen and unify data protection for all individuals within the European Union. It is important that accountants and those in the financial services sector know what it is in terms of risk management as well as regulation.
Many of you will throw up your hands in horror and say, “but we are Brexiting so why should we care?” A good question, but for this moment in time the rules still apply, and with heavy fines for offenders, it is best that you know what they are. No man is an island. We are all part of a much bigger picture and legislation in one country has a way of making itself felt in another.
The theme of access to data came up in the Queen’s Speech. If the proposed bills go through Parliament, the police will be given additional powers of access to our data and young people will have the right to demand social networks delete any personal information they had shared prior to turning 18.
Therefore, if you still believe the UK’s departure from the EU will negate the need for change in terms of managing data, you are sadly mistaken.
But, the EU GDPR has implications way beyond technology. This is a business problem, not an IT or a HR issue. You may be a small firm without HR and outsource your IT. It is still your problem. You cannot leave it to anyone else, however tempting that may be.
As business owners, we are accountable for the information that we store on clients and our employees. We need to change how data is perceived, and begin to treat it as a company asset and ensure it doesn’t become a liability.
Let me give you an example. If the data you had stored on a client was a company car you would want to know if the person who had access to it was qualified to drive. You would ask for their driving licence and check they had no insurance issues.
You would want to know the car/data was being properly maintained, wasn’t being used illegally (bank robbery) and that it would be returned in good working order. If appropriate, it would be disposed of following the correct legal procedures at an authorised facility.
Why then do we not do the same with our data? Do you know which members of staff have access to it and why? What about when they or the client leaves?
Data comes in many forms. It is not just about paperwork and information on your computer.
- Security cameras have photographic data
- A customers’ signing in book with name, company details, car registration – that’s all data
- Biometric finger recognition on devices
- Waste paper bins (with / without confidential information in them)
- USB sticks at the back of drawers
- Dusty old HR records at the back of a cupboard
- Old bank statements at the back of a filing cabinet
- An external hard drive for one of your servers
And this is the “stuff” that you can see. What about other records you may not know about?
- Employees with old files sitting at home
- A laptop that someone accepted from former employee and forgot to return to the office
- Data a member of staff emailed to their personal email id to enable them to work at home
- Information sent to a third party
- Sharing of a whole spreadsheet rather than just the relevant data.
As business leaders, this has to be a project led by top management and senior leadership. The culture of the organisation is key and explaining to all staff what the process will be over the coming months is fundamental to the success.
Involve and educate your staff. They probably know more about how data is processed and managed than you. They will become your greatest asset in ensuring compliance to the new legislation.
To quote Benjamin Franklin: “Tell me and I forget, teach me and I may remember, involve me and I learn.”
Read Helen Barge’s tips on how to best minimise cyber security risk.
Helen Barge is managing director of Leamington based Risk Evolves, helping businesses prepare and meet risk management in IT. Helen is an expert in cyber security and works with a wide range of businesses and organisations including the police to identify and manage risk, and to protect reputation should an attack occur.