Listen to this article here
|
In a world that runs on data, there are, quite rightly, laws in place to ensure we, and our data, are protected. But do you know what is designated as a valid business reason for accessing personal data? Or when you would be in breach of the law?
General Data Protection Regulation or GDPR as we know it, tailored by the Data Protection Act 2018, is a law created in the European Union (EU) to protect the personal data of its citizens. Although it was passed in Europe, it affects businesses worldwide.
Christian Mancier, Commercial Partner at Gorvins, explains:
Every time we sign up for a new service, buy a product online or even sign up for a newsletter, we leave a data trail behind. By law, we have some level of control over how companies use our data and have measures at our disposal to request they delete the data they hold– in certain circumstances.
Importantly, for the companies and institutions that hold information about us, there is protective legislation governing how they use that data. The Data Protection Act 2018 requires everyone to use data fairly, lawfully and transparently. Avoid falling foul of the law by ensuring your staff understand when they can and can’t access customer data.
The consequences of accessing data illegally
The consequences for individuals and businesses that run foul of GDPR and the Data Protection Act can lead to costly legal proceedings and significant reputational damage.
Recently, a case went before the magistrate’s court where the defendant was employed at South Warwickshire NHS Foundation Trust. Christopher O’Brien pleaded guilty to unlawfully accessing the medical record of 14 patients without a valid legal reason.
In this instance, the defendant accessed the records of people known to him without a valid business reason or the knowledge of the trust he worked for. This led to significant distress for the victims and reputational damage for the NHS Trust.
The defendant was ordered to pay £250 in compensation to 12 patients, totalling £3,000 in total.
The importance of training your staff in GDPR and to be data-aware
The above case is an unfortunate example of what can happen when personal data is accessed without a valid business reason. While you can’t control the actions of certain rogue individuals 24/7, you can ensure adequate training is given, minimising the chances of data being accessed improperly.
For example, there are many instances where a business might need to access a client’s data. However, the line between accessing that data legally and illegally can be a very fine one.
In a case where an architect is representing a client in preparing some plans to accompany a planning permission application, it might be required for the architect to access a google street view or google earth image of the client’s property for a visual representation of the land and building in question.
However, if a receptionist at the architect’s firm looked up the client’s residence simply out of curiosity to see what the client’s house looked like, this would be an improper use of personal data as there is no valid legal or business reason for that person to access such information.
Advising your staff of these nuances could be the difference between a compliant GDPR strategy and costly legal issues resulting in reputational damage.
Thanks to Christian for providing his Expert Opinion to Marketing Stockport