Data Protection compliance is an issue that affects every single business (both public and private sector) in the UK from sole traders through to multi-national PLCs.
This week, expert opinion is provided by Christian Mancier, partner at Gorvins and chairman of the Stockport Economic Alliance. Christian discusses how data protection compliance and policies may pan out following the UK’s decision to leave the European Union and asks ‘how aware are your company employees of current regulation?’
A complete European wide overhaul of the Data Protection regime was due to come into force on the 25th May 2018 known as the General Data Protection Regulation (GDPR). The result of the referendum has now shed some uncertainty on how things will pan out over the next couple of years.
However, the Information Commissioner’s office has made it clear that the underlying reality on which the GDPR and the associated policy is based has not changed and my view is that we will end up with a piece of English legislation that more-or-less mirrors the key principles of the GDPR which will then assist with data flows between the UK and Europe post-Brexit.
One of the key changes proposed under the GDPR is a positive obligation to notify data breaches to both the Information Commissioner and those individuals whose data has been compromised sufficiently to put them at risk of identity theft. This is a departure from the current “head in the sand and hope no one notices” approach and brings a significant risk of reputational (and financial) damage going forward.
What about employees?
Whilst cyber-attacks are a real risk and often grab the headlines, the major weak link in any Data Protection chain is an organisation’s employees as it is often the employees who will not encrypt and then lose a memory stick or mobile device, send the wrong information out to the wrong recipient and so on.
Even if your organisation has the world’s best data protection policy on paper, this is of little use unless your employees are aware of the policy, aware of the significance of a data breach and are trained in Data Protection matters, compliance and best practice to the point it becomes second nature to them as they go about their daily roles.
With the forthcoming changes on the horizon, every business should be training their staff on Data Protection policies and compliance to ensure they are up to speed when the new legislation comes into force. Don’t wait and end up fighting it on the back foot whilst having to report breaches and deal with the associated reputational damage at the same time.