Nine months after GDPR — the General Data Protection Regulation – came into force, many companies are still struggling to meet their obligations under the law.
According to some accounts, as many as one-third of British businesses admit that they are not compliant, and it is reasonable to assume that at least some of the rest are mistaken.
Writing this week in ITProPortal, Robert Wassall, Director of Legal Services at cyber-security consultant ThinkMarble, said:
“With many organisations already far behind on compliance, we are likely to see a large wave of fines and disciplinary action from the [regulator] in the next six months if organisations don’t take the spirit of the GDPR to heart.”
Even if you feel that the urgency to take action has gone away, your responsibilities and potential liabilities have not.
Data protection is a big area to address, and it makes sense to focus first on your main vulnerabilities.
While much of the media attention has been on data relating to customers, the fact is that many companies hold far more personal data on each employee than they do on each customer. And if your business is providing support services, typically involving large numbers of employees and contractors, then a main focus of your GDPR efforts has to be the protection of employee data.
In many businesses, personal documents can be found in both paper and digital form in all sorts of locations for all sorts of reasons, and each of these is a data breach waiting to happen. It’s called ‘data sprawl’ and the more of it that you permit, the greater the security risk to you and your staff.
Consider the information flow when an employee working remotely needs to update their employment records; photocopied documents can be in a supervisor’s car, or in the post, and must then be verified by someone in the office and filed appropriately, while the electronic record must be properly updated separately. The whole process can take ages, and the opportunities for mistakes are huge.
It doesn’t have to be that way
Imagine, however, if there was a simple portal which the employee could access from an app on their phone, scanning the document with their phone’s camera and instantly uploading it via an encrypted link to your system. From a GDPR point of view, this would be a vast improvement.
It would also allow the employee to directly and instantly change their details, either automatically or with approval, enabling easy compliance with the GDPR requirement for data correction.
Fortunately, Innovisehas thought of all of that when developing its flagship Timegate product. Using Timegate’s ‘Details’ button, staff can do all of this and more, removing the risk of unprotected paperwork being seen by the wrong people, and greatly improving the speed and accuracy of data input.
And because the data exists in fewer places, Subject Access Requests (SARs) can be addressed much more efficiently, and within the one-month time limit imposed by GDPR.
Similarly, information can be made available to staff securely and instantly via the ‘Messaging’ and ‘Documents’ functions, again without the risk of paper going astray, and with a clear audit trail.
Do the right thing
From a compliance point of view, there are two elements to this – doing the right thing, and being able to show that you did the right thing. In the event of a data breach, the regulator will take a more favourable view if you can show that you’ve taken sensible precautions to secure personal data.
Matt Rowley, of Harrowell’s solicitors, commented:
“A bit like that maths test at school, even if the [regulator] thinks you got the answer wrong, they will give you credit for ‘showing your workings’.”