The vulnerability of protecting people’s personal data has been highlighted in the news again, after recent allegations emerged that pensioners’ salaries, the value of their investments and the size of their pensions are being sold for as little as 5p to criminals, without the individuals’ consent

[1]. The Information Commissioner’s Office (ICO) has launched an investigation, after it emerged that an array of Data Protection Act (DPA) principles may have been violated, most obviously the first principle which states, “Personal data shall be processed fairly and lawfully[2]”.

It is a truth universally acknowledged that data protection laws across the European Union (EU) need to be re-aligned with the technological capabilities of businesses and public sector bodies in the 21st century.  The EU General Data Protection Regulation (GDPR) is due to be passed by the end of 2015, replacing Directive 95/46/EC whence the UK DPA came in 1998. The GDPR will transform the way organisations that operate in the EU handle, collect, store and dispose of information.

The fines for non-compliance are being raised considerably to deter companies from misusing personal information. Here’s how you can contribute to safeguarding your organisation from receiving a fine of up to €100 million, or 5% of your global annual turnover or budget.

  1. Recruit a Data Protection Officer (DPO)

The role of the Data Protection Officer (DPO) is to ensure an organisation’s use of data is compliant with current legislation. There are divergent views over data protection and its application amongst the 28 European Member States. The latest proposal for the DPO role suggests that a nominated DPO will be mandatory for any legal entities that process data on >5,000 individuals per annum.

Embedding the right leadership and governance framework in your organisation, with clearly defined roles and responsibilities, will help foster a culture which values and protects personal data.

  1. Make sure your incident reporting procedure and chain of command are in place

As of 2017, notifying the Information Commissioner’s Office (ICO) that a data breach has occurred will become mandatory, within a specified time period – most likely 72 hours. The notification includes information on the breach itself, the measures taken to fix it, and possible consequences. The issue, although contentious, will act as an effective tool used by organisations to act quickly and decisively to address data breaches.  The introduction of mandatory reporting also creates questions for how information sharing with other Member States will work.

To prepare for this significant cultural shift in reporting, businesses should be certain their incident reporting procedure is watertight, and a full chain of command cascading from the Board to the shop floor is in place.

  1. Raise awareness of the importance of protecting personal information

Knowing what personal and personal sensitive information your organisation holds is crucial. Information Asset Owners (IAOs) should task employees to identify what personal data is being handled, stored and collected. Providing training to ensure there is a baseline level of DPA awareness across the organisation should be undertaken by employers.

It is critical that individuals from the Board to frontline staff understand and protect their organisation’s and customers’ critical information such as personal and sensitive personal data. Templar Executives has extensive experience in providing training to Government Departments, FTSE 100 companies and SMEs in Data Protection Legislation.

Our half day course provides delegates with in-depth knowledge of the evolving Data Protection landscape; the financial, reputational and operational costs non-compliance could have on your business; and the importance of fostering a culture that values, protects and crucially exploits information to achieve business outcomes.