Data holding is no longer something an organisation can take lightly, it needs serious thought and processes put in place
The General Data Protection Regulation is the process by which the European Parliament intends to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside of the EU.
The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It was adopted in April 2016 and applies from May 25, 2018, after a two-year transition period. Unlike a directive, it does not require any enabling legislation to be passed by national governments.
The Information Commissioner’s Office has already stated it will keep, or enhance, the GDPR position, even when the UK exits the EU, for any UK centric breach. However, should a UK company wish to trade with the EU post Brexit, then such companies must abide by the GDPR rules, so there is no escape!
I am constantly surprised at how few businesses are taking GDPR seriously. I can perhaps understand some of the ‘cavalier’ attitudes and the ‘it won’t happen to us’ positions, but it is the ‘we don’t hold personal data’ which is the most puzzling stance. We all hold personal data of some sort and even if we operate in a B2B world, how can we be sure that the mobile number on a person’s business card is not a personal one rather than a company issued one?
Building management companies need to pay attention to GDPR as well. I suggest they need to reflect on where they store their gathered data. For example, most smart buildings have keyboards and screens to enter a person’s details when visiting a location. Often a visitor badge is printed out and presented to the visitor. But where is that visitor data held, is it secure and who else has access to it? If GDPR is taken into consideration, how long will that data be held for and in the event of a data disclosure request by a previous visitor, would that data be easily located and retrieved?
If there is any doubt to any of these questions, then the management company would be in breach and thus open themselves up to possible fines of 4 per cent of global turnover or €20m, a figure not to be sniffed at. However, it would not end there, as board level management could find themselves subject to personal litigation for not protecting an individual’s data. Personal fines could also be high, especially in the event of multiple data loss claims.
Another worrying area is that of Curriculum Vitaes (CVs). An obvious document, that contains personal data and which management companies tend to receive in abundance, as their ‘employee churn’ is notoriously high. Most Human Resource (HR) managers think that this data is only held within their own departments, but it is also shared with the relevant departmental manager who, in turn, may share it with their senior team. Thus, one CV is duplicated maybe 5-6 times. Given most advertised jobs receive 50-60 replies, that could equate to 250 copies in existence for that one job. If in a year the company recruit 100 people, that’s 25,000 CV’s in various file systems! Are they all controlled? Could all CV’s be located? No, to any of these questions and the company is in breach.
Extend this thought to the obvious data gathering sources such as CCTV, HR records holding next of kin data, third party support companies etc., all of which fall under GDPR and need control and protection.
Data holding is no longer something an organisation can take lightly, it needs serious thought, processes put in place for data controls and protection, and the go-to motto must be, when in doubt encrypt the data!
Don’t think you are safe unless you really do operate in an igloo and have no staff or guests.
If you liked this, you may wish to view the following:
Smart Cities World’s regular blogger and data security expert, Colin Tankard of Digital Pathways, dissects the recent malware attack
A survey of 3, 500 US citizens commissioned by Accenture finds majority concerns about personal digital data