Poor storage, failure to destroy records and information mishandling are just three ways that UK organisations have been finding themselves on the wrong side of data protection rules.
Since the GDPR was introduced in May 2018, research has found that the UK is one of the top three countries for data breaches. The UK experienced 10,600 personal data breaches of the 59,000 reported across the continent since the new law came into effect.
Among those getting it wrong were a London council, which was issued with a £145,000 fine In November 2018 after a council worker accidentally breached data protection law. This saw an unredacted document get into the public domain, detailing the names of residents suspected to be involved in local gang violence.
At another council, mistakes in envelope stuffing saw details of an elderly woman’s benefit payments leaked to another resident. It was reported that 12 pages containing information about three years of payments were sent to the wrong person.
Last April, thousands of patient files including bank details, medical records and contact information were discovered abandoned in a former nursing home. The home closed in 2016, so the data was mislaid prior to GDPR becoming law, but this led to people in the derelict building finding paperwork on hundreds of patients, as well as residents' belongings and pharmaceutical drugs.
Among the measures that organisations can take to reduce the risks of events like these are:
On-going staff training
Data training should not be a one-off event. As well as giving staff a full understanding of the GDPR requirements for using and storing personal data, updates need to be issued on a continual basis and any new learning shared across the organisation.
It’s a good idea to review data protection policies on an on-going basis and to make sure that all new starters are trained in correct data use as part of their induction.
All public authorities should have a data protection officer, keep records of all data processing activities and whenever high-risk data processing is involved, they should carry out a data protection impact assessment.
Confidential documentation and data should be kept in locked and secure storage, with separate receptacles for paper and electronic media. Large organisations should keep a record of where these storage places are so that data can be located quickly when needed.
Under GDPR, organisations have to show that they know exactly where personal data is stored, how it is being processed and whether explicit consent has been given by the individuals it covers.
Prevent visual hacking
Privacy filters are a must for people working on the move or in public places. These help to prevent anyone other than the device user from spying the contents of a screen.
Data destruction policy
Storing data safely is just one part of the equation. Destroying personal data as soon as it is no longer needed for its’ original purpose, and shredding confidential documents in line with compliance, matters just as much.
For destroying personal data, a secure cross-cut shredder that can reduce A4 sheets into hundreds or thousands of pieces is the minimum requirement.
Every organisation should, by now, have a data destruction policy that everyone in the organisation understands. It should list the essential requirements in as simple and easy to follow way as possible.
For more information
View our Security flip book