…(and can be costly too!)
GDPR is not normally associated with parties, but recently I heard the end of a conversation about an office Christmas party and it set me thinking about the impact that a misplaced sentence can have. Friendships and working relationships can be badly damaged, in some cases, irreparable.
If I choose to pass on my unvarnished opinion about a colleague during the Christmas bash, then I can find myself in a lot of trouble. If on the other hand, I whisper information that has come from the data controller then not only am I in hot water, but I’ve also given the extra present of a data breach.
Paragraph 4, Article 32 of the GDPR says:
“The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.”
Put more simply, you must ensure that people are given clear guidance about what they can and can’t do with personal data and you must ensure they stick to those rules.
Bear in mind that it doesn’t matter how information is disclosed for it to be a breach. Whether you’ve been hacked, sent an email to the wrong person, lost a paper file or repeated information to someone who shouldn’t know it, a breach has occurred.
With verbal disclosure the situation is often made worse by the fact that our natural desire is to share more ‘interesting’ information, which is also usually more confidential and leads to greater upset.
We’ve seen examples where incidents have been dealt with from a disciplinary standpoint but have gone unrecognised as a data breach. Obviously, if you need to report the breach to the ICO, you’ll have to explain why you missed the 72-hour deadline for reporting. It is difficult to say that you have a sound regime for data protection but missed this high-profile target.
What steps should you take to avoid these issues:
Training
- All your staff need to know about the risks of verbal disclosure. Include it in your normal GDPR training but you may need to provide a special briefing. As well as knowing that they need to notify your DPO or GDPR lead, it’s a great time to remind people of the perils of letting information slip.
Easy reporting
- Take away any barriers that prevent staff from alerting you to an issue. Have an email address just for staff to alert you of issues or consider an online form.
A response procedure
- If people do report issues then you need to have a well-established procedure to deal with them. Get it recorded and you can even practice to make sure the 72-hour deadline can be met.
Joined up processes
- Issues which trigger disciplinary procedures may relate to data protection issues and vice-versa. Make sure that there is a section in the guidance for both areas that highlights the risks and include this in your general training and particularly induction training.
So, as you contemplate the upcoming festivities, it may be worth a timely reminder to everyone that we have to consider what we’re saying just as much a what goes into an email.