For many of our clients, the most difficult aspect of being Data Protection compliant is deciding “where to start?” The obligations of the DP legislation touch so much of the day-to-day processing of personal data that it can seem an impossible challenge to put an appropriate Data Protection solution in place.
We were delighted, therefore, when the Danish Data Protection Agency recently set out a list of 12 requirements in relation to the processing of personal data. As a ‘starter kit’ for guidance on putting practical, professional data management structures in place, it offers an excellent template.
Not only does the list of 12 requirements demonstrate compliance with the current EU Data Protection Directive (1995), the current legislation in force across the European Economic Area, it also lays the ground work for compliance under the proposed new General Data Protection Regulation (GDPR), due to come into force in early 2018.
Bear in mind that this set of requirements places legal obligations on employers within Denmark – for companies established anywhere else, though, it offer a solid checklist against which to measure their current data management practices.
The first six Requirements are listed below – to assist with understanding, we have provided a short narrative with each, to put it within the context of the current and future DP legislation.
We will follow up in another article with a similar outline of Requirements 7 – 12.
In each case, there is an obligation on senior management within an organisation to ensure that these structures are in place - as the senior representatives of the Data Controller, they are primarily answerable for compliance with the legislation.
1. An organisation should be able to describe how they protect personal information, including the implementation of appropriate technical and organizational security measures to protect this data against accidental or unlawful destruction, loss or alteration and against unauthorized disclosure, abuse or other processing in violation of the provisions laid down in the EU legislation. This should include documentation on formal policies and procedures, staff training and any risk management strategies which the organisation has put in place in relation to their data processing.
This requirement covers both the obligation to comply with current legislation on keeping personal data safe and secure, as well as the obligation, set out in the proposed GDPR, that organisations monitor and log any threat to the data that they hold. This could include recording attempted data theft, hacking attempts or any incident which threatens the integrity and safety of the personal data.
2. Access to the information should be limited to persons who have a reasonable need for such access. Too many organisations fail to exercise some limitation on access to personal data – many staff have ‘read/write’ access to CRM files and spreadsheets of contact details, when they have no operational or administrative reason for such access. This Requirement challenges organisation to consider appropriate levels of access to data, based on individual roles and responsibilities.
3. Employees who handle personnel administration must receive instruction and education in what they can do with the information. From induction onwards, staff should be offered appropriate and timely training on their responsibilities towards the personal data which the organisation holds. In our experience, most data security solutions fail, not because they are inadequate, but because the staff in the organisation either don’t understand or are simply not aware of their data management obligations.
4. Personnel information on paper – for example in records and binders – must be kept locked when they are not in use. With the proliferation of technology and the tremendous advances in mobile devices and communications, many organisations neglect the paper records under their control. This Requirement provides a healthy reminder that manual records (paper records held in organised files or filling systems) deserve the same level of protection and security as electronic records.
5. All computers and other electronic equipment with personnel information must have a password, and passwords must be changed at least once every six months. The days of sharing passwords, or leaving passwords on post-it notes on the underside of the keyboard or in the pocket of the lap-top case should be over by now. Staff should take responsibility for their own profile and equipment, and this includes any data processing that is done in their name, or on their computer devices. A much larger proportion of data protection breaches are still caused by the inadvertent errors of staff members, rather than any malicious or targetted hack by external parties.
6. If personal data (staff files, payroll information, marketing contact lists, etc.) is stored on an USB-key, the information must be protected by password and/or encryption. Any USB-key or external storage drive on which such information is stored must be kept in a locker or locked drawer when not in use. As technology advances and devices become ever-smaller, the risk of losing, misplacing or having such devices stolen increases exponentially. Some of the biggest data incidents in recent years have come about because of the loss or misplacement of small, relatively innocuous pieces of equipment – a cd-rom containing hundreds of thousands of personnel records from a government ministry, the external storage drive belonging to a senior hospital consultant containing hundreds of highly sensitive, confidential files, etc.
It is almost as if the relatively small size and often bright colours of the device lull us into a false sense of complacency, and we neglect to maintain the appropriate levels of care.
So, as food for thought, have a look at your current data management practices against this initial set of Requirements. Remember to include both electronic and manual records where appropriate!