By Stuart Snape, Managing Partner, Graham Coffey & Co. Solicitors
A lack of knowledge about personal data protection can lead to serious consequences in the event of a breach. Anyone whose professional duties include managing or controlling personal data should know who is responsible for protecting that data, and who might be to blame if the data is breached.
Most countries now have governing bodies to scrutinise the national and international exchange of personal and business data, ensuring that adequate measures are taken to protect such data from being leaked or used negligently. The General Data Protection Regulation (GDPR) oversees the protection of data in the EU, and describes itself as ‘the world’s toughest and most regimented data protection scheme.’
GDPR was introduced in 2016 amidst the then-largest data breach the world had seen; Yahoo!’s double breach resulted in one billion users’ information being leaked. The anticipated legislation placed accountability on businesses to protect the data of their customers and employees; and, for the first time, detailed the responsibilities of any employees who processed or controlled data as part of their role. Yahoo’s legal settlement was valued at $117.5 million and there have been even larger penalties for businesses involved in data breaches in the years since.
GDPR applies to all EU countries and people, meaning that international companies that collect and process the personal data of EU citizens must abide by the legislation. Shortly after the regulation came into effect, the UK began the process of leaving the EU, and developed its own Data Protection Act 2018. Given its similarities to GDPR, the nickname ‘UK-GDPR’ was coined, and stuck.
At its core, the UK legislation holds businesses and individuals accountable for the misuse of data in much the same way that its European counterpart does. Businesses that have hitherto adhered to EU-level data protection laws will find identical principles. Nevertheless, all businesses must ensure their practices stay compliant. To achieve this, it is vital that both employers and employees understand their rights and responsibilities.
Below, the experts in data protection at Graham Coffey & Co. outline who has a legal responsibility to protect data, why data is likely to be subject to a breach, and when you should be especially aware.
Up until the COVID-19 pandemic, businesses in the UK had clear data protection rules to abide by. The sudden and significant change in working habits ushered in by the pandemic opened the door to legislative uncertainty, as data protection laws had not yet been tested by employees using company data on a large scale while working remotely or from home.
When to protect your data
Data is in one of two states; at rest or in transit. ‘At rest’ means data in storage, like a device’s hard drive or USB device. Data is ‘in transit’ when someone accesses it – such as when data passes from a server to your device.
Recital 83 of the UK-GDPR states that ‘the controller or processor [of data] should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.’
Here, a clear indication of responsibility is outlined: the employer must take steps to ensure that the data is protected at all times. The example given by GDPR regulation is encryption – but further measures are outlined below.
What measures should my business take?
You should examine who has access to sensitive data.
Employees should only have access to the data they require on a regular basis to complete their daily tasks.
Limiting the amount of data each individual can access lessens the impact of a single employee’s security lapse.
Use a corporate virtual private network (VPN) to limit access to your sensitive data.
A VPN will encrypt your employees’ connection to your servers, allowing them to access your company’s network safely and securely.
The encrypted tunnel provided by the corporate VPN will help keep your data safe in transit. Attackers who do not have access to your corporate VPN will not be able to breach your servers.
You must implement the necessary processes to achieve data security best practices and regularly monitor to ensure that your organisation is meeting regulations at every stage. The rules must always be followed without exceptions.
To be safe, your employees should use a reputable VPN when working from home, as an additional layer of security.
Train your employees
It is much better to be safe than sorry. Training your employees on the importance of data protection and its best practices, as well as your own organisation’s policies and processes, will significantly reduce the risk of a security breach. If there is ever a breach, the impact is likely to be reduced by other employees implementing good safety procedures.
I’m an employee; what do I need to do?
Whenever you are working, keep the following advice in mind:
- Follow your company’s rules, processes, and guidelines
- Only use authorised technologies when processing sensitive data
- Keep confidentiality in mind when using a screen
- Do not mix your personal data with the company’s
- Be cautious when accessing online links and attachments in emails or other messages.
- Create strong passwords
- Update your software regularly
While hackers and other cyber criminals have access to sophisticated tools for breaking into systems and extracting data, one of the most common causes of data breaches is human error. By remaining vigilant, you can help to avoid the serious consequences that can follow from a data breach.
What happens when a data breach occurs?
Following a data breach, it can be difficult to assign liability. If there is a legal case to answer, prosecution will depend on the specific circumstances, as there are infinite ways that lead to data being misled or bled unwillingly.
Employees have a duty to comply with UK-GDPR, and failing to do so could result in personal liability for a data breach of company information.
It is an offence for an employee to knowingly obtain or share personal data without consent. If an employee is found in breach of this regulation, they could find themselves subject to a fine because of poor compliance measures, or for misapplying UK-GDPR rules. If an employee was working from home, there will be an investigation into the circumstances that led to the data leak.
If there is evidence to prove that the leak was not intentional, liability may be traced back to the employer. Therefore, an employer can be held accountable in the event that an employee breaches data. If the business failed to implement adequate safety measures, the employer may be found liable. As such, it is vital that companies make efforts to protect data at every point, and that they implement measures that reduce the risk of a data breach when employees are working remotely.