GDPR and how to implement ongoing compliance

aat comment

General Data Protection Regulation (GDPR) was incorporated into the Data Protection Act 2018 (DPA 2018), the act gaining consent 23 May 2018.

Now that the act is implemented all policies and procedures relating to the collection, processing, handling, storage and deletion of all personal data should be in place. That, in some ways, was the easy part. The more difficult part is making sure that, going forward, compliance is maintained.

As the person with overall responsibility, and potentially one whose livelihood could be damaged if a breach occurred, what actions can you take to ensure that your organisation is safe from a careless data breach or a disgruntled employee?

Internal security

All staff should have been trained on the new DPA 2018 rules and regulation. They should be able to recognise a SAR, process personal data in line with the act and your procedures and understand why it is critical to do so. However, being trained on the new procedures, and sticking to them may, in practice, be difficult. So how does the owner or manager ensure compliance? And what is the cost of non-compliance? Below is an example of what could happen if an employee decides to enact a data breach.

In 2014 Morrisons was found liable for the actions of a former member of staff who stole the details of nearly 100,000 staff. The culprit received eight years in jail and Morrisons, who, due to the data breach incurred costs of more than £2 million, is now facing the prospect of being sued by at least 2,000 current and former employees. The financial consequences for Morrisons could be severe.

You may be thinking that if Morrisons, with all the resources and cashflow to buy the most sophisticated and update software and training cannot protect against employee misbehaviour, what chance for you? But, with a much smaller number of staff in place, and less branches and lower staff turnover, it may be easier than initially thought.

Suggestions to prevent internal data breaches

Just as the Prime Minister banned the cabinet from bringing mobile phones to a recent Brexit meeting, you could implement a ‘bring no memory stick or other tools for saving data to the office’ policy.

‘No access to any software or internet access other than that needed for the work in hand’ can be written in the procedures. This will minimise the uploading of data to social media sights, one-drive, dropbox and other similar areas of the internet.

Further actions that could be taken is computer history could be reviewed at random intervals, and emails sent can also be accessed for monitoring.

However, all the above could be time-consuming and make staff feel untrusted. A better way of ensuring that personal data is protected, even if it is copied, is to pseudonymise the clients’ data before entering their details into the accounting and payroll software. That way, even if the data is stolen, no one can identify the individual, as the key to unlock the pseudonymised data is held separately, either on another server or off-line. This would make your employees feel valued and trusted, rather than treated as potential criminals.

Creating new policies

All the above can be written into the new policies and procedures with training given on both, with employees signing that they understand and comply with the requirements. This would also be a good time to review employment contracts and revise them as necessary to encompass the new regime.

Remember, it is not that you don’t trust your staff; it is about protection of your and your staff’s livelihoods as well as client confidence and data security.

Finally, a note on personal data disposal. It is not enough to throw away hard copies, or delete files containing personal data. Rubbish bins can and are ransacked for personal data information, and deleted file information is still held within the computer memory. All files to be disposed of, whether hard copies or computer files, should therefore be shredded.

External security

Often a visit to a client or attendance at an AAT conference or event is necessary. To run a busy practice the laptop may be packed along with the toothbrush and toiletries. Now that we are post implementation of the DPA 2018 all personal data held on the laptop or within software that has automatic access to cloud, is at risk. Again, pseudonymisation of data would be a solution to minimising risk, so a quick check now of what information is held on the laptop would be prudent. It may come as a surprise to see what little nuggets of personal data have been saved to the laptop over the years. Take the time to review and shred the data. Peace of mind is worth the effort.

Finally, using a client’s wi-fi may be commonplace. But before logging on, do ask about anti-virus and malware protection. Just to be sure.

Show total commitment to minimising a breach

Some of the above may seem a bit like ‘Big Brother’ is watching, but remember, you have to show total commitment to minimising the likelihood of a breach. Anything less could lead to an Information Commissioner’s Office investigation, and, in some ways even worse, client and reputation loss.

Julie Hodgskin is a fellow member of AAT, runs a licensed accounting practice and is a technical materials author for CIPP.

Related articles