Ensuring your employees keep their desks tidy might not be a top priority for your business. But in the age of GDPR clean workspaces really do matter. By now you’ll be familiar with some of the ways you can comply with GDPR -updating authentication procedures for example, or gaining explicit consent from individuals whose data you process digitally. However GDPR doesn’t just apply to data you hold electronically. Data breaches can just as easily stem from carelessly stored physical data – on notepads, paper filing systems and other traditional information storage systems.
In 2015/2016 according to the ICO 26% of data security breaches concerned theft and loss of paperwork. It’s for this reason that many businesses are now enforcing strict company-wide clear desk policies.
WHAT DATA DOES GDPR COVER?
The legislation defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’)”. The regulation is also explicit that ‘data’ does not just mean cloud-based information or details about individuals held electronically. It also includes
“personal data processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’ (that is, manual information in a filing system).”
So it’s clear that to safeguard your business from data breaches a holistic approach to data processing is essential.The ICO provides resources and tips on how to raise awareness across your company. Many of our clients find these guides extremely useful.Here at Big Data Law in London we offer bespoke privacy audits (GDPR GAP analysis) to help clients reach a comprehensive view of the data they process and identify the risk of data breaches.
As part of these reviews we ask you to consider how you:
• store personal information; and
• protect the information from unauthorised access or disclosure
Information left unsecured on a desk or in a meeting room presents a clear risk. Once identified, you must be able to show you have taken steps to remove the risk of breach. And a clear desk policy is one way to do that. How, for example, would you prevent an unhappy employee or external cleaner photographing or copying personal information visible on a desk and placing that in the public domain?
ELEMENTS OF A CLEAR DESK POLICY
Some ways you can minimise the risk of data falling into the wrong hands and leading to potentially heavy GDPR sanctions include:
•Clear password protocols meaning passwords should never be written down or left were they can be read by third parties
•Before printing emails or documents, asking if a hard copy is really necessary
•Introducing a requirement to clear away all paperwork from desks at the end of the working day
•Installing privacy filters on all computer screens
•Ensuring there are lockable drawers at each workspace
•Carrying out regular GDPR training for all staff
THE INTEGRITY AND CONFIDENTIALITY PRINCIPLE
One of the underlying principles of GDPR is ‘integrity and confidentiality’or security. The rules state that personal data must be
“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
Of course GDPR doesn’t impose an obligation on you to have a clear desk policy. But remember if there is a data breach at your organisation the ICO will immediately look at the processes you had in place to prevent such a breach.
A properly implemented clear desk policy is an excellent way to demonstrate this. And it could act as a significant mitigating factor when the level of any sanction is under consideration. But it’s not enough to pay lip service to a clear desk policy. It should be set out in any staff handbook and employees should all understand how it works.
Every single employee can potentially cause a data breach if personal information is not securely monitored and stored.
At Big Data Law our GDPR compliance packages can help ensure you meet your obligations. For more information please contact GDPR Solicitors UK or call us on 0203 670 5540.