Employment News

News added on 14.01.2019


Data protection

64% of workers have breached GDPR rules

A new survey has revealed that 64% of workers have already breached GDPR rules by forwarding customer or client e-mails to their personal e-mail accounts in the four months following the GDPR coming into force. What should you be doing to prevent this sort of breach from happening?

The survey, carried out by Proband on over 1,000 workers, also found that 84% of the workers who admitted to forwarding work e-mails to their personal e-mail accounts didn’t believe they were acting unlawfully due to an absence on their part of malicious intent. However, breaching GDPR rules doesn’t require any element of malicious intent to be shown; breaches can be entirely innocent. Even if workers are simply trying to catch up on their work out of hours at home, it’s a breach of the GDPR to forward sensitive customer or client information to a third-party e-mail address outside of the company.

It’s clear from the findings of this survey that employers need to be doing more to educate their workers on the GDPR provisions, and on data protection generally. As GDPR breaches can result in potential fines of up to £17 million (€20 million) or 4% of global annual turnover (whichever is higher), staff training is essential. The GDPR requires that you implement appropriate technical and organisational measures to ensure the security of the personal data that you hold, and this is likely to include employee awareness training. In addition, you must be able to provide evidence to demonstrate your compliance with the GDPR. Therefore, the recording of such training is also a key aspect of your obligations. You can carry out the training yourself if you’re confident on GDPR matters, or you can engage an external training agency to do it for you. Online training is also a possibility, but it’s better if this can be followed up with a face-to-face session. This will allow staff to ask any questions and to run through any scenarios specific to your business. If you have appointed a data protection officer, Article 39 GDPR states that one of their tasks is to monitor GDPR compliance, including “awareness-raising and training of staff involved in processing operations”.

The Information Commissioner's Office (ICO) has just published a new Guide to Data Protection which covers both the GDPR and the Data Protection Act 2018. It’s for data protection officers and others who have day-to-day responsibility for data protection, is aimed at small and medium-sized businesses and is split into five main sections:

  • introduction to data protection
  • guide to the GDPR
  • guide to law enforcement processing
  • guide to intelligence services processing
  • key data protection themes.

The first, second and fifth sections may provide you with a useful starting point to create a staff training session.

It’s essential that you train your workers on the GDPR, and that you keep a record of the training you carry out. Not only does training reduce the risk of breaches, it also demonstrates your compliance with the GDPR. Make sure the training is both practical and tailored to the data protection requirements of your business. In addition, give staff the opportunity to ask questions.

© Indicator - FL Memo Ltd • Telephone: (01233) 653500 • Fax: (01233) 647100 • customer.services@indicator-flm.co.uk • www.indicator-flm.co.uk
Calgarth House, 39-41 Bank Street, Ashford, Kent TN23 1DQ • VAT GB 726 598 394 • Registered in England • Company Registration No. 3599719

  • Duncan Callow - Publisher - 17 January 2019

    great article