InsightsInsight - Data Protection and GDPR - POSTED: February 8 2016
Data breaches – “We could have done more”
Will your business suffer a data breach in 2016? Will your CEO be the one on the news uttering the increasingly familiar refrain “We could have done more?”
- Share this article
- Print this article
2015 saw one organisation after another suffer a variety of damaging and embarrassing data breaches. These ranged from the potentially criminal hacking of customer details and financial information from Talk Talk, to the simple but highly embarrassing human error case in which HIV patients identities were shared via an email listing them all in the “To” box instead of the “bcc” box.
Most shocking from an HR perspective was the case of Andrew Skelton, the Morrisons supermarket’s Senior Auditor jailed for 8 years after stealing and sharing the bank, salary and national insurance details of around 10,000 colleagues with news outlets and data sharing websites.
Of course, the problems for Morrisons have only just started. They are reported to have already spent around £2 million addressing the issue internally and assisting their affected employees. They now face a lawsuit from over 2,000 employees that could potentially cost them yet further millions of pounds on top of that.
So will your business be hitting the headlines in 2016 for the wrong reasons?
All data controllers have strict legal obligations under the Data Protection Act 1998. These include having in place appropriate technical and organisational measures to prevent unauthorised, unlawful or accidental loss, destruction or damage to personal data.
To put this in context the Information Commissioner has, since 2010, handed out fines of between £100,000 to £325,000 in around 28 cases for failures to comply with the Act.
This is on top of any civil claims that could be pursued by the individuals affected and the time and expense to each organisation in terms of rectification action and damage to reputation and in some cases share price.
Do you know the answers to the following:
- Are your computers or laptops encrypted rather than just password protected?
- What are your organisation’s rules on data security?
- When was your IT policy last reviewed?
- Do you have a data security breach management policy and procedure as recommended by the Information Commissioner?
- Do you give your employees any training in data security awareness?
- Where does responsibility for data security rest in your organisation: HR, IT, Finance or all of the above?
From an HR perspective we recommend all organisations:
- Review their data protection policies including your disciplinary rules;
- Review your IT policy; (if it refers to floppy disks or dial up a review is probably long overdue!)
- Assess the level and sophistication of data security awareness across your workforce and consider appropriate data security awareness training;
- Audit the personnel data you hold. Assess why you need it, how you store it, who has access to it etc. Remove out of date, irrelevant and unnecessary data – you cannot lose, have stolen or maliciously shared what you do not hold!
Whilst no amount of HR training and paperwork can be guaranteed to prevent a sophisticated criminal attack, it can mitigate significantly the consequences of the human errors seen at the heart of most data breaches and protect your organisation against the potential serious liabilities for failure.
Please contact us if you would like to discuss how we can help you to protect your business against data breaches.
Can we help?
Take a look at our Data Protection and GDPR page for useful information, resources, guidance, details of our team and how we may be able to help you
Get in touch
Please fill out the below form or alternatively you can call us on 01622 690691