Training staff about the new GDPR rules ahead of its implementation date on 25 May 2018 should be a top priority to ensure firms mitigate the risks of expensive data breach claims, according to a GDPR industry working party set up by Intelliflo.
Rob Walton, chief operating officer at Intelliflo, who chairs the working party, comments:
“Adviser firms will need to ensure employees are made fully aware of their responsibilities in terms of the data they can access and the consequences of any mishandling, with permissions being installed where possible to segregate data for its correct use. Under the new GDPR rules, it is mandatory that any breach is reported to the Information Commissioner’s Office (ICO) and, in most cases, the data subject within 72 hours.”
Of the 96 reprimands that were made publicly available in 2017 by the ICO, 11 were directly aimed at individuals who were working for firms at the time at their indiscretions. These were for offences of unwarranted accessing of personal data and sending sensitive data to personal email accounts without reason. Such instances could have been avoided with proper staff training. This represents a significant leap in such reprimands, since no individuals were publicly targeted by the ICO in 2016.
Public bodies have also been fined by the ICO. In May 2017, Greater Manchester Police was fined £150,000 because of three sets of sensitive personal information getting lost in the post. Again, staff training could have helped to avert such a mishap.
Rob Walton continues:
“Firms are at risk not only of fines, but also of highly negative media attention. Training staff so they are fully aware of what they can and can’t do with regards to data helps to reduce the risk of data breaches plus ensure the firm itself is not the focus for any potential enforcement procedures if staff claim they didn’t know they were doing something wrong.”