[Reformat for Autocue]
SCENE 01: Introduction
Most of us are familiar with the term “data protection”. Since 1995 the Data Protection Act controlled how our personal information is used by organisations, businesses and the government. But, as of May 25th, 2018, these laws are replaced by the GDPR – a regulation on data protection and privacy for all individuals within the European Union. And GDPR will continue to affect UK citizens and businesses, irrespective of the final outcome of Brexit.
SCENE 02: So, how does the GDPR affect [Client]?
In this digital world, our personal data has become a valuable commodity. It’s used to influence our choices, with personalised marketing messages, and to analyse our habits and preferences.
The GDPR is designed to give EU residents sweeping new powers over how their personal data can be collected, used and stored, making it much easier for individuals to exercise their privacy rights.
These new rights, enshrined in GDPR law include:
- the right to access their data
- the right to know what data we hold and what we do with it
- the right to correct their data if it’s wrong
- the right to object to certain automated processing
- They have the right to stop us processing their data, and
- the right to receive a copy of their data in a portable format
- the right to have all their data erased, and this includes all backup and archived copies
Under the GDPR, it’s easy for individuals to exercise these rights and, as a ‘Data Controller’, [CLIENT] only has 30 days to comply, in the event of a complaint. Therefore, the ability to accurately map the digital data collected, where it is stored, archived and backed up is vital, in order to meet the 30-day deadline. And although [CLIENT] is not currently required to maintain a record of processing activities that it performs, the company has identified potential areas of risk, by revealing where all personal data records are kept.
The GDPR simplifies regulations for all firms that control or process personal data. However, [CLIENT] must adhere to a strict data protection compliance regime and be able to demonstrate its commitment to safeguarding people’s privacy. This requires the implementation of appropriate technical and organisational measures, to maintain compliance with the GDPR. These measures should be regularly reviewed and updated whenever necessary. Failure to comply, especially if a data breach occurs, can result in severe financial penalties.
SCENE 03: Privacy
[CLIENT] has a legal obligation to safeguard the privacy of its clients and employees. And everyone in the company who handles personal data, whether it’s in digital or printed form, has a duty of care to protect that data.
The company’s Privacy Notices explain what information is collected, and how the company uses and protects that data. Failure to live up to our own Privacy Notice can potentially lead to a financial penalty, as well as damage to the company’s reputation and brand. So, it’s now more important than ever, that everyone works together to protect people’s personal data. And ‘personal data’ can be something as simple as an email address or phone number. In some cases, this small amount of data, obtained without consent, could be sufficient for an individual to lodge a formal complaint.
Remember, [CLIENT] only has 30 days to respond in the event of a complaint. Now, as already mentioned, the company has implemented measures to accurately map all digital data collected. However, personal data is also made available as printed documents such as customer lists used by sales staff. So, the distribution of paper-based information needs to be tracked, in terms of the number of copies and the names of recipients, to avoid incidents where personal data could be breached.
A data breach could occur if a document is;
- lost, mislaid, or simply left lying around unattended
- passed to an unauthorised third party
- photocopied or duplicated without authorisation
- photographed and emailed to an unauthorised party
It is also vital that all printed information given to any member of staff is properly destroyed when no longer needed. And, in the event of a loss of a document such as a customer record, employee file, payroll list, or any document containing Personal Data, this must be immediately reported.
SCENE 04: Data Breaches
A data breach is the most serious cause for complaint and will normally incur severe financial penalties in the form of punitive fines. There is also a high risk of damage to the company’s reputation and brand.
It is important that you know who is responsible for Data Protection within the company and are aware of the correct process for reporting a data breach. If you suspect a breach has occurred, – and this can be as simple as copying data unencrypted to an employee’s personal phone, iPad or laptop, – you must report it to the appropriate [CLIENT] colleague immediately. They will need to know; what data you believe has been breached, where the breach occurred within our system, or a document stored on a PC or mobile device. Also, how many records are affected, when the breach occurred, and any other pertinent information you can provide.
If you suspect that the breach involves any ‘sensitive data’, you must alert your colleague of this. For example, ‘Sensitive Data’ could potentially be included in employee records of staff members who have devolved police powers.
Here are 5 key principles that all department managers and their team members should apply, in order to maintain a high level of Data Privacy…
- Stop and think before you disclose personal data to anyone.
- Consider how you would feel if your personal data got into the wrong hands. You need to protect other people’s personal data as you would want your own data to be protected.
- Data breaches most often occur through employee mistakes. So be vigilant.
- Ensure that you keep your team members up to date with any changes in procedures for handling personal data.
- Always remember: Getting this wrong can have a massive financial impact on the company, through punitive fines. It can damage relationships with clients and harm [CLIENT]’s reputation. All of these factors can ultimately put jobs at risk.
SCENE 04A: Emails
Emails will be automatically deleted from each employee’s inbox, outbox, sent items and deleted items folders after 90 days. Emails placed in any subfolder or archived will not be subject to the automatic deletion policy. Whenever it is necessary to retain a particular email pursuant to the Record Retention Schedule, either archive the message or place it in a subfolder.
SCENE 04B: Annual Clear up
To ensure that a minimal level of records management discipline is followed, we have adopted a policy of requiring an annual File Clean-Up Day. Each year, the Head of each department must pick a date between 1st Feb and 31st March as File Clean Up Day.
SCENE 04C: Third Parties
There may be times when you are asked to pass personal data to a third party. For example, when a client needs to carry out security checks before allowing staff to work at a particular event.
Effectively, the client is processing data on behalf of [CLIENT]. Under GDPR law, any breach from the third party is still [CLIENT]’s responsibility. So, in any situation where a third-party requests personal data you must always seek internal approval before transferring any data. This is because a Compliance Contract may need to be in place before data is transferred to the third party.
SCENE 05: Summary
The bottom line with Data Privacy is this… When data that should be kept private gets into the wrong hands, bad things can happen. Identity theft is, of course, the worst-case scenario. But a data breach can also put personal data in the hands of a competitor, or cause significant damage to a person’s reputation, even their financial status. Consider for example the consequences of losing a VIPs home address or mobile phone number!
Privacy is about respecting individuals. At [CLIENT], this means our clients and the people they serve, as well as our work colleagues. Personal data is essential to many of the decisions that are made about us – from whether we get a mortgage or a driving license, to being offered a job. Our personal data is vitally important to all of us.
[CLIENT] needs personal information about our clients and employees to run the organisation successfully. The company is trusted to take proper care of this essential information. So, each and every employee at [CLIENT] has a responsibility to protect this personal data as if it were their own.
Treating client and employee data with the utmost care and respect is critical to protecting [CLIENT]s reputation. YOU are our best defence against reputational damage.