With the countdown to May 2018 underway, organisations across the country are racing to prepare for the GDPR. And while the changes might mean extra work for thousands of professionals across the country, most would agree they’re long overdue. The original – and existing – Data Protection Act was passed way back in 1998, when the internet barely existed, and few would have predicted what it had in store.
The new regulations recognise the enormous impact that the internet has had over the last 20 years, and the data explosion that came with it. We now think it’s perfectly normal that online companies know where we live, who we’re friends with and what we like to eat. Yet with so much of our personal data involved, we need the reassurance that it’s adequately protected.
On the flipside, organisations large and small now rely on customer data to trade and operate effectively. Few businesses remain untouched by the data revolution, and its influence is growing all the time. That’s why, with or without the GDPR, managing customer and employee data can no longer be brushed under the carpet, or left solely to the IT department or office manager. Data is everyone’s business and every employee has a role in keeping it safe.
Here are a few of the ways that you can start to engage employees in the importance of data protection:
- Top down engagement: Technology and data are now so important, that data protection and cyber security have become executive level issues. There’s no point expecting employees to get on board with the new rules if the CEO doesn’t know what’s required and why. The management team must lead by example, while working together to ensure the message is communicated effectively across the whole business.
- Implement a data protection policy: Processes and procedures regarding data and security should be outlined in a clear and concise policy, which all employees should read and sign. The document should include key dos and don’ts regarding handling sensitive information, customers rights, as well as password security and how to detect and report any data concerns or suspicious activity. It can form part of the induction of new employees, and act as a reference guide, if ever anybody has a query about handling data.
- Build data protection in from the ground up: The GDPR advises taking a ‘privacy by design’ approach, whereby data protection is hardwired into the processes and behaviours of the organisation. You can encourage this by including a data protection element in the mission and values of your company, as well as including it in job descriptions, employee contracts and progress reviews. That way it always stays front of mind with staff and that they understand its importance.
- Communication, training and development: The new regulations provide a good excuse to kick start regular training on data protection and cyber security issues. Cyber training is often overlooked – a recent Government survey found that only 20 per cent of businesses have ever given staff some kind of cyber security training. And while it might sound dull, it doesn’t have to be. Try to be creative about how you do it by organising quizzes, events and learning from examples of where organisations have been caught out.
- Access management: While cultural change is important, it’s also crucial that you have controls in place with regards to who can access what data. That means that only those employees that need certain information should be able to gain entry to the files in question, with password protection in place at the very least, and further authentication if possible. The access levels required by each employee should be tracked on an ongoing basis so that nobody has any log-ins they don’t need. Privileges should be automatically revoked and details changed when employees leave the company.
Data protection isn’t something you can do once and forget about for another year or two. As technology evolves and the data keeps getting bigger, it requires constant focus to ensure you’re sticking to the rules, while protecting your customers and your business reputation at the same time. It’s time for data to come out of the back room and into the heart of the business.
By Ben Rose, Insurance Director, Digital Risks
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/