In 2015 The Irish Computer society carried out a nationwide survey in order to ascertain data protection professional’s opinion in the area of data protection.
The results show that of the 150 companies who took part in the survey, 15% had no data retention /destruction policy in place. This places these Organisations at sever risk of non-compliance with the GDPR due to come into force in May 2018. Another significant result from the survey showed that companies firmly laid the blame for 45% of all data breaches on employee negligence. Employee negligence can result in significant fines for Organisations that fail to have adequate procedures in place to manage Data Protection, secure paper Destruction/IT disposal, once the said information has reached its retention period.
In line with the Data Protection Acts, all data controllers are required to retain information for no longer than is necessary for the purpose. With that in mind, an accurate retention policy for all documentation ensures that a company can keep track of their different legal requirements. When there is no policy in place companies run the risk of losing data, storing both paper and digital files longer than is necessary, experience breaches in information security while also breaking the regulations under the Data Protection Act.
The Data Protection Act places the responsibility on companies for the safe disposal/destruction of information in their possession. Responsibility for secure destruction, falls under the remit of the data controller and it their responsibility to ensure that their disposal practices are compliant. If a company intends to hold information regarding customers in order to enhance services to them in the future, customer consent must be sought!
Employees with a grudge are responsible for some breaches, however many are due to employee negligence, maybe by ignoring a warning, not following proper procedures or just by human error. Employee breaches can fall into 3 categories:
Innocent actions: wrongly addressed letters, misplacing mobile phones
Careless or negligent: ignoring warnings that flash up on computer screen, releasing information in either the form of paper or IT equipment to a non-compliant individual/organisation to process.
Malicious: the deliberate distribution of sensitive information to a third party
Innocent Data Breach Example
In 2016, American giant, Federal Deposit Insurance Corp experienced an innocent data breach through a past employee. The employee in question, “inadvertently and without malicious intent” downloaded a series of confidential documents relating to client and commercial information and saved them to a portable storage device. It is scenarios such as this that significantly justifies the importance for businesses (large & small) to have detailed Data Protection procedures in place. These procedures are created to establish regulatory compliant methods for processing, storing and the secure disposal of the data within their control. Providing peace of mind to management that their systems and practices are fully compliant.
Carelessness is one risk that is difficult to control from managements perspective. The best method for management to protect their business is to focus on what they can control. In this case, educating employees and establishing effective monitoring procedures are two factors that management can control.
An example of effective education and monitoring would be to implement secure console units (secure bins) throughout your office space and introduce a procedure for all employees, informing them to insert all waste paper data in the provided consoles.
At the end of each week, conduct a spot check on all the remaining general waste bins inspecting for waste paper data. Continue this process for a number of weeks, highlighting non-compliance to all staff members, implement disciplinary procedures and monitor for improvement to attain 100% compliance.
Similar to human error, malicious behaviour is extremely difficult and near impossible to control. The best method of equipping your Organisation for this kind of behaviour is to review all employment/HR guidelines and clearly outline your Organisation’s stance on malicious behaviour. This can result in criminal conviction of the said employee if proof of the malicious behaviour has been recorded.
With the introduction of the GDPR from Europe, Data Protection has become one of the most relevant and important compliance areas for Organisations to review and correct if deemed necessary. Lack of preparation may result in business ending penalties from Europe and simply cannot and should not be risked. It may seem daunting to undertake such a review however the resulting protection will far outweigh the workload of completing the review.
Fail to prepare, prepare to fail!
If you would like to receive any further information upon the GDPR and how to become compliant, please contact the team at Security in Shredding.