What Are the Benefits of ISO 27001 for My Organisation?

ISO 27001 is the internationally recognised standard for controlling risks to your information security management system (ISMS). ISO 27001 sets out standardised requirements which help you to implement, operate, maintain and improve your ISMS. If you become ISO 27001 certified you prove to clients and other stakeholders that you are a responsible organisation that takes every possible measure to manage information security risks.

What are the risks to information security?

Potential security threats include:

  • cyber crime
  • fire/damage
  • loss
  • misuse
  • personal data breaches
  • terrorism
  • theft
  • vandalism
  • viral attack

How can ISO 27001 certification help my organisation to manage these threats?

“…keeping the UK safe from cyber-attacks is now as important as fighting terrorism.”

A water-tight information security management system is vital for the survival of any organisation. Gaining ISO 27001 certification involves putting in place the technical and operational requirements necessary to manage and protect all your valuable data from security threats. An ISO 27001 certified ISMS provides an effective framework for identifying risks and threats as well as establishing appropriate controls for eliminating or minimising these threats.

Every information security management system must effectively control who has access to information at any given time. ISO 27001 provides a framework to make sure authorised users can get access to information whilst at the same time preventing unauthorised users from accessing data. If a data breach was to occur, this framework would enhance your organisation’s recovery operations.

By implementing ISO 27001 you are sending a clear message to everybody in your organisation that information security is your top priority. Increasing awareness in this way helps to set a security mind-set throughout your company, reducing the likelihood of employee related breaches.

What are the other benefits of ISO 27001 certification?

Protect your reputation

In a BBC news report dated 9th October, 2017 the head of the intelligence monitoring service GCHQ said: ‘…keeping the UK safe from cyber-attacks is now as important as fighting terrorism’. There’s no doubt that cyber-attacks are becoming more frequent and stronger by the day, causing financial and reputational damage to organisations everywhere. Therefore it’s more important than ever to meet ISO 27001 standards.

More customers!

ISO 27001 builds trust. Your clients, employees and stakeholders have the right to expect that their private information is protected. ISO 27001 standards are a blue-print for the policies and procedures that help to set everybody’s minds at rest. Not only will you keep your existing clients happy but you could also have a business advantage over competitors who are not ISO 27001 accredited.

Avoid fines

Under the GDPR, which comes into force in May, fines for data breaches can be up to 20 million euros or 4% of annual turnover – whichever is higher.   ISO 27001 is the accepted global standard for information security management systems ensuring that you are compliant with the new regulation, avoiding costly financial penalties. The standard selects the right and proportionate security controls for your ISMS so that you meet all legal requirements including GDPR, the NIS Directive and UK cyber security laws.

Responsibility

When a business grows very quickly in a short space of time there can be confusion about who is responsible for which information assets. ISO 27001 helps businesses to organise this aspect by clearly setting out all the information risk responsibilities.

Fewer audits

ISO 27001 certification is accepted proof of effective security. Therefore, the standard saves you time and money by reducing the number of external customer audit days that you need.

Independent advice

As part of your ISO 27001 certification, an external auditor will undertake regular reviews of your ISMS to ensure that there is continual improvement and that everything is working correctly. Therefore you will always feel confident that your ISMS provides the security necessary to protect your organisation’s data.

Is ISO 27001 appropriate for my type of business?

“The standard is especially suitable for organisations that process large quantities of personal or sensitive data…”

Yes. ISO 27001 certification is suitable for organisations of every size, across every sector. The standard is especially suitable for organisations that process large quantities of personal or sensitive data such as public and IT sectors, health bodies, and financial and banking organisations. It’s also the recognised standard for organisations that manage high volumes of data or manage information on behalf of other companies.

Can ISO 27001 be integrated with other management systems?

“Integrating your management systems brings substantial business benefits…”

ISO 27001 can be fully integrated with other ISO management systems, such as ISO 9001 quality management system, OHSAS 18001/ISO 45001 and ISO 14001 environmental management system. Integrating your management systems brings substantial business benefits, such as:

  • increased organisational efficiency and effectiveness
  • reduced costs
  • reduced disruption due to fewer external audits
  • demonstrates your commitment to performance, employee and customer satisfaction, and continuous improvement.

What are the steps to ISO 27001 certification?

ISO 27001 involves the following steps:

  1. A gap analysis to find out how your existing information security management system compares to the ISO 27001 standard.
  2. A formal assessment. Your external auditor will review which controls and procedures have been established following the gap analysis, pointing out any further gaps that need addressing.
  3. Your auditor will assess the implementation of the procedures and controls that you’ve established to make sure they work effectively enough to meet ISO 27001 certification standards.
  4. You receive an ISO 27001 certificate which is valid for three years. Your auditor visits regularly to ensure that you remain compliant with legislation and that your information security management system continually improves, adding value to your business. 

How can NDC help you to achieve ISO 27001 certification?

NDC Global Auditors’ team of qualified lead assessors have extensive experience in auditing to ISO standards in a number of industry sectors and their supply chains. Our ISO 27001 lead assessors can support your company at every step of the implementation process and provide follow-up consultancy support to facilitate continual improvement.

Our services include:

Consultancy and training

  • gap analysis and action-planning
  • Switch on/switch off consultancy support throughout the implementation process
  • training for every step of the certification process:
  • developing effective policies, audit checklists and protocols
  • third-party assessment
  • follow-up consultancy support to facilitate continual improvement.
  • Support to integrate ISO 27001 with other ISO standards such as ISO 9001, OHSAS 18001/ISO 45001 and ISO 14001.

Technology to support ISO 27001

Our partners at Soitron UK can also support you to build the IT infrastructure to facilitate ISO 27001 and GDPR compliance. Their technical experts can test your existing system for weaknesses and support you to develop IT and cyber security systems that are robust and compliant.

Contact us to discuss how we can support your organisation to implement ISO 27001.

How Will the Rules for Subject Access Requests (SARs) Change Under the GDPR?

The rules for making a subject access request (SAR) under the GDPR will be similar to the Data Protection Act 1998. However, there are key differences.   With less than six months until the GDPR comes into force, it’s time to make sure you can meet new requirements to be legally compliant.

What is a subject access request (SAR)?

A SAR is the right of an individual to request any personal data you hold about them. The reason that the GDPR and the Data Protection Act 1998 (DPA) provide this right is so individuals can verify that their personal data is being processed lawfully.  SARs must be made in writing. Individuals can ask:

  • why their data is being processed
  • what categories of personal data are held about them
  • who has received or will receive their personal data
  • where the data came from if they did not give it to you.

How will GDPR changes to subject access requests affect my organisation?

Fees

At the moment you can charge an administration fee for SARs. Under the GDPR you cannot charge unless the subject access request is ‘manifestly unfounded or excessive’.  However, you will have to be able to prove that the request is ‘manifestly unfounded or excessive’.  As the guidance isn’t specific, that’s difficult.  The GDPR states that you can charge a ‘reasonable fee’ for multiple requests – again the guidance isn’t specific, so approach with caution.

Response Time

The GDPR allows you just one month to respond to subject access requests instead of forty days under the DPA. This deadline can be extended by a further two months for a complicated or large request.  The data subject must be notified of any deadline extension within one month of receipt of the SAR and they must be given an explanation of the decision.  You will need to make sure that your organisation has procedures in place to cope with this reduced timescale.

Electronic Access

If an individual makes a SAR electronically then you must provide information in a commonly-used electronic format unless they request otherwise.   Before sending out electronic information you must verify the individual’s identity.  As you only have one month to respond to SARs you need to make sure that if requests are emailed to a particular staff member, then these are actioned when that staff member is absent.

Content of Response

When you respond to SARs you should tell the individual what personal information is held about them, the purpose for which it is held and what processing is being carried out. You might also need to provide additional information such as your data retention period.

Right to Withhold

The GDPR and current DPA hold the same position here. Under the DPA organisations can withhold information if it regards the prevention, detection or investigation of a crime; national security or the armed forces; the assessment or collection of tax; and judicial or ministerial appointments.  The GDPR states that personal data can be withheld if it would ‘adversely affect the rights and freedoms of others’.  In future our government may introduce further exemptions to SARs relating to public security, so we will have to watch this space.

How can my organisation prepare for changes to SARs?

    1. Create a subject access request template. That way, individuals will always provide the information you need to respond consistently and efficiently to SARs.
    2. Write and implement policies and procedures for handling SARs, making sure that the new shorter response times are incorporated.
    3. Make sure that your staff are trained to handle SARs so that they can identify them when they come in and respond correctly.

 

Final point: The key change most likely to affect your organisation is reduced response time.  As the GDPR only allows you one month to respond to subject access requests you might consider implementing a ‘data subject access portal’.  This will enable individuals to access their personal data promptly, remotely and easily ensuring that subject access requests are GDPR compliant.

How can NDC help?

Working in partnership with IT and cyber security specialists at Soitron UK, our information security lead auditors can:

  • design a subject access request template that meets GDPR requirements and works in practice within your organisation
  • design policies and procedures that handle SARs in line with GDPR requirements, including meeting the shorter response times
  • train your staff to identify and handle SARs swiftly and correctly
  • develop your IT systems to facilitate SARs processing and all other GDPR requirements.

Contact us for further information on how our consultancy and training services can support your business to prepare for GDPR.

How does the GDPR change the lawful basis for processing personal data?

Under the current Data Protection Act 1998 (DPA) any organisation that processes personal data and sensitive personal data must have a legal basis for doing so. The GDPR, which comes into force in May 2018, is more rigorous in maintaining this position.  Changes affected by the GDPR will have clear, practical implications in a way that the current DPA does not.  Individuals’ rights will differ depending upon the lawful basis for processing their data. 

The GDPR legal basis for processing personal data

If your organisation wants to process personal data then it must satisfy at least one of the following conditions:

1. Consent

The data subject has explicitly consented to the processing of their personal data.

2. Contractual

It is necessary to process personal data prior to entering into a contract with the data subject.

3. Legal obligations

Processing is necessary to comply with a legal obligation.

4. Vital interests

This applies when the data subject is not physically or mentally capable of giving consent but processing is necessary to protect the vital interests of the data subject or another person. For example, when an individuals’ medical history is disclosed to a hospital following a serious accident.

5. Public interest

It is in the interests of public safety to carry out the processing of this personal data.

6. Legitimate interests

It’s necessary to process the personal data for the legitimate interests of the organisation or a third party, except when this negatively affects the interests, rights or freedoms of the data subject.

What are ‘legitimate interests’?

The following GDPR recitals give examples of ‘legitimate interests’ for processing personal data:

Recital 47: processing for direct marketing purposes or preventing fraud. However, Recital 47 states that data controllers must consider whether their legitimate interests are outweighed by the interests and fundamental rights of data subjects.

Recital 48: transmission of personal data within a group of undertakings for internal administrative purposes including client and employee data.

Recital 49: processing for the purposes of ensuring network and information security, including preventing unauthorised access to electronic communications.

Recital 50: reporting possible criminal acts or threats to public security to a competent authority.

What GDPR conditions must organisations meet to process sensitive personal data?

The GDPR states that sensitive personal data relates to an individual’s:

  • race, ethnic origin, political opinions, or religious beliefs
  • trade union membership
  • physical or mental health
  • sexual life
  • criminal background – offences committed or allegedly committed.

It’s mandatory under the GDPR for organisations to satisfy at least one of the following requirements in order to process sensitive personal data:

1. Explicit consent

The data subject has given explicit consent for their sensitive personal data to be processed.

2. Employment, social security and social protection laws

Processing is necessary to meet employment, social security and social protection laws or ‘a collective agreement providing for appropriate safeguards for the fundamental rights and interests of the data subject’.

3. Vital interests

This only applies when a data subject isn’t physically or mentally able to give consent but processing is a matter of life or death for them or for somebody else.

4. Not for profit (NFP)

When processing is carried out by an NFP for political, philosophical, religious or trade union reasons providing that this information is not shared with any third parties without the data subject’s consent.

5. Public

Where the data subject has ‘manifestly’ shared their sensitive information publically under their own initiative.

6. Legal obligations

Processing is necessary for legal matters.

7. Public tasks

Processing is necessary in the interests of public health and safety.

8. Medical reasons

Processing for ‘the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or Member State law…’

9. Research, archiving and statistical purposes

Processing is necessary for the public interest or for scientific, historical or research purposes providing the aims are proportionate to the fundamental rights and interests of the data subject. The data subject’s rights must be respected and safeguarded.

What satisfies ‘consent’ under the GDPR?

The GDPR defines consent as ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’. Silence, pre-ticked boxes or inactivity do not constitute consent.

How can my organisation prepare for changes to the lawful basis for processing personal data?

  1. Start by assessing what lawful grounds you currently rely upon for processing personal data and sensitive personal data. Will these grounds still remain valid under the GDPR? What action do you need to take to be GDPR compliant?
  2. If you rely on ‘consent’ as your lawful basis but this is no longer adequate under the GDPR, update your policies, procedures and privacy notices to reflect this.
  3. Make your staff aware of which legal basis’ your organisation relies upon for processing personal data.

Most importantly, make sure you identify and document your lawful basis for processing personal data and sensitive personal data so that you comply with the GDPR.

How can NDC help?

Our information security consultants can provide on/off consultancy and training that will support you to:

  1. conduct a gap analysis of your existing systems and processes for processing personal data and sensitive personal data
  2. update your policies, procedures, privacy notes and audit checklists to comply with GDPR
  3. raise awareness of GDPR requirements and benefits within your organisation.

Contact us for further information on how our consultancy and training services can support your business.

How Will the GDPR Change Individuals’ Data Protection Rights?

For the most part, individuals’ data protection rights will be the same as they are under the current Data Protection Act but with significant enhancements. The GDPR will also introduce new rights.  There will be the ‘right to erasure’; individuals can have their data deleted upon request.   The GDPR will also introduce the ‘right to data portability’ which allows data subjects to access and move their personal data from one IT environment to another.  Organisations will need to put policies and procedures in place to accommodate these new developments. 

What are individuals’ data protection rights under the current Data Protection Act?

At the moment individuals have the right to restrict or block the processing of personal data when the information is only needed for specific legal purposes, inaccurate, or when they have objected to data processing and this claim is currently being investigated by the data controller. Individuals also have the right to:

1. Object.

The data subject can object to the processing of their personal data when it’s being used for the purpose of direct marketing.Access. When requested, the data controller must provide a copy of personal data without excessive delay and for a fee.

2. Rectification and erasure.

The data subject can exercise these rights if the data is incomplete, inaccurate or not being processed in compliance with the Data Protection Act.

3. Not be subjected to solely automated processes.

This is when processing an individual’s data results in a decision which significantly affects them in some way.

4. Fair and transparent information.

This means that an organisation’s privacy policy must detail the identity of the data controller, the purposes for processing the personal data and any information necessary to enable processing to be fair in the organisation’s specific circumstances.

How will the GDPR extend these existing data protection rights?

The right to object has been extended to include not just direct marketing but processing that is:

  • based on legitimate interests or the performance of a task in the public interest including profiling.
  • for purposes of historical or scientific research or statistics.

Access to personal data must now be provided free of charge and within one month of request. Data controllers will also be required to provide additional information to individuals such as the retention period of the data. Organisations will need to put systems in place to cope with these requests.

Requests for rectification of data must be responded to within one month but can be extended to two months if the issue is complex.

Individuals can request data erasure simply by withdrawing their consent – there are certain exceptions such as when the data is being held for public health purposes or public interest.

An individual’s right to fair and transparent processing has been strengthened. The GDPR requires that privacy information is communicated in clear, plain language – it is no longer enough to provide a long-winded privacy policy. The privacy policy must communicate the GDPR changes to individuals’ data protection rights.

What are individuals’ new data protection rights under the GDPR?

1. The right to erasure.

Individuals will have the right to erasure when:

  • data is no longer required for the original purpose
  • the data subject has withdrawn consent and there are no other grounds for processing the data
  • the data subject has objected to the processing
  • legal obligations require erasure of data
  • processing is unlawful.

If the data controller has provided personal data to a third party then they must take reasonable steps to inform third party controllers that the data subject has requested erasure.

2. The right to data portability.

The GDPR introduced this right so that individuals are no longer locked in to a specific service provider. The data controller must store information in a commonly used format for easy transference to another IT environment.

How can you prepare for these GDPR changes?

1. Update your privacy policies to make sure that new and extended rights are incorporated and that they are communicated in accessible language.

2. Assess whether you need to establish new procedures to cope with the practical implications of the extended and new rights. For instance, how will you deal with access requests? How will you take stes to erase data that has been shared with third parties?

3. Plan how your staff, operational processes and IT systems will need to adapt to accommodate GDPR changes to individuals’ data protection rights.

4. Develop your employees’ awareness of the GDPR requirements, how to implement your GDPR action plan and how to plan your internal audit cycle.

How Will Privacy Notices Change Under the GDPR?

At the moment, when your organisation collects people’s personal data your privacy notice needs to tell them who you are and how you plan to use their data. Under the GDPR your privacy notice must contain some additional information.  You need to communicate your legal basis for processing data, your data retention periods and you must inform people that they have a right to complain to the Information Commissioner’s Office (ICO) if they are unhappy with the way you are handling their data. 

Transparency and Clarity

It will no longer be good enough to provide a link to a long-winded privacy notice that hardly anybody reads. The GDPR says that companies must:

  • write information in a concise, transparent way
  • use plain language, particularly if the recipient is a child
  • provide this information free of charge.

The ICO say: ‘being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect.’

The Big Issue

How do you share your privacy notice with the data subject when you didn’t obtain personal data from them directly? Under the GDPR you are required to provide these people with privacy information just as you would if you had collected the data directly.  Obviously, this is tricky. The ICO recommends carrying out a privacy impact assessment (PIA) which is a method of assessing and alleviating privacy risks.

Repeat Business

If you are working with a repeat customer who is simply renewing your service you don’t need to re-issue your privacy notice unless some aspect has changed. There’s no need to send information twice.

Example Privacy Notice

Before writing a privacy notice consider:

  • What information is being collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • What effect will your data processing and sharing activities have on the data subject?
  • Is the intended use likely to raise complaints?

Here is a basic outline of a privacy notice layout:

Jane Jones Industries Ltd will be the controller of the personal data you provide (the ‘data controller’). We only collect personal data that is necessary to provide you with our service.  This includes your name, address, email and phone number. 

Why we need your data

We need your basic personal data so that we can provide you with our charity updates. We never collect any data that we don’t need to provide this service.

What we do with your data

All personal data is processed in our UK office. No third parties have access to your personal data unless the law states otherwise.  We have a data protection system in place to manage the effective and secure processing of your personal data.  You can view our data protection policy on our website: http://www.JaneJonesIndustries.co.uk/data protection policy.

How long we keep your data

We only keep your personal data for as long as you wish to receive charity updates from us. We will keep your information until you notify us that you no longer wish to receive charity updates.  To cancel updates email: cancellations@janejonesindustries.co.uk.

What we would also like to do with your data

With your permission, we would like to use your name, address and email address to inform you about charity events. Please visit our website to subscribe to this service.  Your personal data is not shared with third parties and you can unsubscribe to charity event news at any time by telephone, email or via our website. 

What are your rights?

You have a right to see the personal data we hold about you and to have it corrected or deleted. If you wish to raise a complaint about the way in which we have handled your personal data you can contact us to have the matter investigated: complaints@JaneJones.co.uk. 

If you are not satisfied with our response to your complaint then you can complain to the Information Commissioner’s Office (ICO): https://ico.org.uk/concerns/.

For more details visit the ICO’s website.

Depending upon the nature of your business, your privacy notice may need to contain a lot of detailed information. You can meet the GDPR’s requirement to make this information accessible to your data subjects by ‘layering’.  Layering means that you write a concise paragraph or two under the headings in your privacy notice, finishing each section with a hyperlink: ‘please follow this link for further information’.  That way, the data subject hasn’t been overwhelmed by the information in your privacy notice but has been given the opportunity to delve into more detail.

Further information

Our on-site GDPR Awareness course explores the concept of ‘privacy’ and the other key requirements of the GDPR in detail. It’s a cost effective way of getting employees of all grades up to speed with the new legislation’s requirements. Contact us for more details or to discuss the specific needs of your business.

GDPR EU Regulation and the Personal Data You Hold

The GDPR EU regulation requires you to maintain records of all your personal data processing activities. In order to do this you need to identify what types of personal data you hold, where it came from, who you share it with, the reason you need it, how you maintain accuracy and how you keep the information secure.  Here are the records you need in order to show you comply with GDPR.

Types of Personal Data

Record the types of personal data you hold. What kinds of individuals do you hold data about? For instance, are they adults or children? What categories of data do you hold – health data? Profession? Home insurance company used? Under GDPR EU regulation there are rules for specific kinds of data. If you hold sensitive personal data you may need to employ a data protection officer (DPO), and you might need to complete a privacy impact assessment (PIA). A PIA is a tool to identify and reduce the risk to privacy which includes misuse of personal information.

Sensitive personal data includes a person’s:

  • racial or ethnic origin
  • political opinions
  • religion
  • membership of a trade union
  • health
  • sex life
  • criminal activity

Personal Data Sources

Where did you obtain your personal data? Record whether the information came from the data subject or another source.

Personal Data Sharing

Under GDPR EU regulation it’s mandatory to record who you share personal data with and your reasons for doing so. Remember, you cannot share personal data with a third party without the explicit consent of the data subject. If you share personal data with other countries you must document which ones are outside the EEA.  Personal data can only be shared with non-EEA countries if they have a suitable data protection law.

You should have a policy in place which evidences what you do when you receive a request for personal information from the data subject and from a third party. Don’t share everything you hold about people, but only the aspects necessary to achieve the objective. Document and employ a ‘need to know’ principle so that only employees in your organisation and other organisations who need the personal information to do their job have access to it. When you share data you must document what safeguards are in place to protect the data in-transit. Under GDPR EU regulation, data subjects have the right to see their records and to have their records erased – this should be incorporated into your policy.

Reasons for Holding Data

You need to be able to justify why you hold and process personal data; therefore erase any data that you don’t need. You must detail how you use the data and for what purpose.   If you use personal data for automated profiling then you must complete a privacy impact assessment (PIA) if the processing will result in legal effects or other have another significant impact on the individual.  You should have documented evidence that you’ve informed the data subject how their information will be used so that they can make an informed decision.  Personal data can only be held and used for reasons given to the organisation and mustn’t be kept longer than for the registered purpose. GDPR EU regulation requires organisations to be fully transparent about how they use data.

Accurate Information

When data subjects contact you with up-to-date personal information you must change it and stop sending information to the old details. Moreover, under GDPR EU regulation you have to be proactive in contacting individuals to make sure that the information you hold about them is correct – you need to be able to prove your efforts in your documentation.  If you have shared information with another organisation then it’s mandatory to provide them with the update you’ve received.

Information Security Policy

Organisations must be able to show how they comply with GDPR EU regulation by having a data protection policy. Depending upon the size and nature of your organisation you might have a single ‘information security policy’, or individual policies that cover different aspects of personal data protection, such as a cryptography policy, a privacy impact assessment policy or a sensitive personal data policy.  There must be documentation to show the technical security measures that you have in place.  Technical security covers computer systems but also things like disposal of old computer hard drives and the physical security of the building e.g., CCTV and door locking systems.

Final point: organisations have the responsibility to maintain accurate records of all the personal data processing activities that take place. These records need to be in writing as well as in electronic form in order to meet GDPR EU regulation. 

NDC has introduced a range of essential GDPR training courses to help you raise GDPR awareness within your organisation, implement an information security management system to achieve GDPR compliance and conduct internal audits to maintain compliance.  

Get in touch to discuss your GDPR compliance needs.

How can you make employees aware of the new GDPR data protection requirements?

It’s vital to make everybody in your organisation aware of the new data protection requirements that the GDPR will bring. The majority of data breaches that occur are due to human error – sending information to the wrong email address, failing to encrypt data, and losing memory sticks or mobile devices.  Under the GDPR, penalties for such errors could be up to 20 million euros, so it’s imperative that each employee who has access to data understands and follows your GDPR policy. Key decision makers in your organisation must identify areas that could cause compliance problems under the GDPR so that resources can be allocated now.  Leaving preparations until the last minute could make compliance difficult. 

“The majority of data breaches that occur are due to human error.”

1. Make all employees aware of GDPR data protection requirements

Everybody in the organisation must understand the implications of a data breach both to the organisation, to data subjects and to themselves. For the organisation, a data breach could incur GDPR penalties as well as loss of reputation.  For the data subject, the risks are immeasurable – a quick Google search reveals what can happen if personal data falls into the wrong hands.  For employees, failing to meet data protection requirements could mean disciplinary proceedings or dismissal.  Your organisation must be able to evidence GDPR compliance to prove that every necessary safeguarding procedure is in place.  GDPR aside, every one of us has a right to expect that our personal data is handled carefully – that’s the core message employees must embrace.

“For employees, failing to meet data protection requirements could mean disciplinary proceedings or dismissal.”

2. Give employees relevant training

It’s important to provide staff with a general overview of the GDPR data protection requirements. However, it’s even more important that the training you provide is relevant to your particular organisation and your employees’ roles.   In order to reduce the risk of data breaches, employees must be able to see how GDPR compliance is relevant to their day to day tasks.  This might include educating employees about the importance of hard to crack passwords and why passwords must be changed regularly.  Many people use the same password for all their accounts both at home and in the office!  You might talk about why confidential waste must be shred, how to encrypt data, why specific data is kept at all, how long data should be kept, or question why confidential data is taken out of the office.

“In order to reduce the risk of data breaches, employees must be able to see how GDPR compliance is relevant to their day to day tasks.”

3. Teach employees how to identify when a data breach has occurred.

The GDPR will make it compulsory to report serious data breaches to the individuals at risk and the ICO within 72 hours of discovery. Obviously, you want to train employees to avoid this happening but they still need to know how to recognise a data breach and what to do in the event.  If your training program is relevant to your particular organisation then that makes it easier for employees to identify and pass on their knowledge to the appropriate person (the Data Protection Officer if you have one) immediately.

“The GDPR will make it compulsory to report serious data breaches to the individuals at risk and the ICO within 72 hours of discovery.”

4. Training is better face-to-face

If your employees train online then you need to supplement this with face-to-face training. Online training isn’t specifically tailored to your organisation and to your employees’ roles, but only gives a generic understanding.  The ability to have a discussion, to ask questions and to learn from others is invaluable.  Moreover, the trainer can make adaptions to their course on the spot to address important points.

“The ability to have a discussion, to ask questions and to learn from others is invaluable.”

5. Begin training your employees today – and continue!

The more prepared you are today, the more likely you are to comply with the GDPR data protection requirements when they come into force in May. Training needs to continue beyond that date so that new employees are up to speed as well.  GDPR training could be part of your organisation’s new employee induction programme.  Employees who have received training need regular refreshers to keep their understanding clear and also to incorporate any issues they may have discovered since their previous training.

“The more prepared you are today, the more likely you are to comply with the GDPR data protection requirements when they come into force in May.”

REMEMBER: Cyber-security tools only work if employees use them correctly.  It’s important that employees are trained so that your organisation avoids data breaches and GDPR penalties.  Make sure they understand how to adapt their everyday roles to meet the GDPR data protection requirements.

NDC has introduced a range of essential GDPR training courses to help you raise GDPR awareness within your organisation, implement an information security management system to achieve GDPR compliance and conduct internal audits to maintain compliance.  

Get in touch to discuss your GDPR compliance needs.