Today’s world of technology has made it all too simple to send a spreadsheet of personal data to someone, with the best of intentions that it will be used as prescribed.
BUT, what happens if the company you send the data doesn’t have good security of data and it finds its way onto the open market where spammers start sending their junk mail out in volume to your customers or potential customers?
Passwords and GDPR
People who use the data need access and most access needs a password, but ask this question, does each person have their own password and access or is there a generic password being used or perhaps you’ve given out your details?
You’ll need to show that control systems exist regarding passwords and what you have in place to ensure someone leaving the company has their password changed before they leave.
Sending Personal Data
How many time have we downloaded some personalised data from a data base and emailed to someone, printed it out to use or put it on a memory stick to give to someone – all in good faith? Most will have done it at some point and because we’ve had no problems we’ve done it again and now we just do it without thinking, because nothing’s ever gone wrong and the chances are it never will – but what happens when it does?
Imagine having to explain to your customers that you were careless with their data and it’s now in the hands of some less scrupulous people – uncomfortable is probably a mild understatement of how we’d feel.
Where Could Your Data be Hacked?
Take on the viewpoint of someone wanting to steal your data – “How would you go about it?”
Look at the obvious first such as control of passwords and how they are generated and stored, both for the company, as a whole and on an individual basis.
What about your network and if someone gained access, how easy would it be to access critical data or find instructions or passwords? The level of security against internet intrusion, is it sufficient?
What rules do you have in place and are staff both aware and trained as needed?
Consider printers that are used to print personalised letters, if someone gained access to your network what else could they potentially access.
The Money is in The List!
A well-used phrase in marketing, but to some degree true. No-one will willingly give away their customer or potential customer lists for obvious reasons, but how much care are we putting into its security?
Those doing the hacking know this, which is one reason they’ll try to access your data. They know if they get enough emails and send out offers etc., they’ll see money coming in for minimal work or they can sell the list to other people who don’t care about the rights of the individual.
Handling Your Personal Data
For many larger companies, many of these points will have long since been resolved, because of the risk of not making sure it’s secured, but for the SME (Small to Medium Enterprise) this is not always the case and in many instances, it’s a long way from being secure.
A good way to look at this, is to put yourself in the position of the customer and consider how you would feel if your data was not secure. Now look at your own company and ask how secure is the data?
Passing Data Internally and Externally
Who’s responsible for data sent to your company?
The answer, your company is, even if you were sent the data in good faith.
For instance, if you’re a print company and you are given a database by your customer and it turns out to be a database that violates GDPR – you will still be held responsible (till now it’s been the responsibility of the supplier).
This means that you need to be sure of who you work with in terms of how they collected their data before you go ahead and use it.
Internally, care needs to be taken when downloading personal data lists to pass on to others in the organisation. What happens to the data during and after it has been used? If it’s a printed list how will it be disposed of on completion? What about a ‘memory stick’ where it can easily be transported out of the building or inadvertently used for something else and passed to someone who shouldn’t have that data or to an outside person.
Auditing Data and it’s Collection
If you use data sent to you by a customer, you’ll need to set up an auditing procedure. You need to know the data was collected with their customer approval and that they have agreed to their data being used in whatever way it’s being used.
Consequences of Violating GDPR
€20 million or 4% of global turnover will be the end of many businesses. The reality is few will ever face these consequences, but if you’re found to be continually violating the rules or worse still you are responsible for a data leak, then expect trouble with a capital T.
The probability is, that a few companies who flout the rules continually, will be targeted and then we’ll all get to hear about them – scare tactics will, I’m sure, play a part in implementing GDPR.
If you have any doubts the best option is to call in a specialist and take professional advice. Don’t wait until the horse has bolted, fix the gate now.
This is a Guide Only
I want to make it clear at this point that you should do your own due diligence on what you need to do, because there are variables that impact how your data usage is viewed in terms of GDPR.
We Have Some Other Blogs you may want to Read to Help Understand What’s Happening with GDPR: