[GDPR] Training – Your Responsibilities as an Employee

A Guide to Data Protection and the GDPR

This article forms part of a collection to introduce you to what Data Protection and ‘GDPR’ are. It’s based upon staff training that we’ve provided for companies to make sure they had a basic working knowledge and were able to take the steps to protect individuals personal information in their care.

This guide takes you through the overview and basics of Lawful Data Processing. If you have any questions or require consultation or guidance please don’t hesitate to contact me to discuss further.

Your responsibilities as an employee.

As part of any organisation to which the GDPR applies you have the responsibility as a staff member to protect that data from accidental misuse, hackers and actions of malicious staff or third-parties.

For all personal data you encounter or engage with on a daily basis you need to reflect on how sensitive this data is and therefore take the right protective measures. You are personal data and the companies real the last line of defence. The way you act with the data and the risks you take have a direct effect on the protections as well as your organisations future. 

This includes against other staff members, If you’re ever asked to disclose personal information either about other staff members or your clients or customers be it by a colleague, manager or third-party you need then you need to question why, you need not be afraid to say no and require additional evidence or okay from a second senior staff member or your designated data protection officer, or a senior staff member designated as the data protection lead. At least in my formal as a Data Protection Officer at the company, I work I instil that confidence of questioning and verifying anytime they’re unsure about any personal data transfer. Taking a privacy-first approach and educating both the staff member whose requesting the data and the staff member who is concerned about discussing the potential risk to data (if it exists) and how to mitigate that risk, or how to make sure they ask for the right thing in the future.

Examples of ‘accidental’ misuse in the office workplace.

  1. E-mailing the wrong client or staff member where the contents of the email contain personally identifiable information (PII).
  2. Not collecting a print-out that contains PII or leaving that print out on the wrong desk in the office.
  3. Shredding (if paper) or deleting (if digital) accidentally the wrong customer’s information that you did not have permission to remove.
  4. Accidently editing the wrong customer’s information which you did not have permission to edit.
  5. Not correctly setting file permissions on a file that you’re sharing through a cloud platform (such as Google Drive, Microsoft One Drive etc) where that can then become public or accessed by unauthorised users.
  6. Taking data home without expressed permission, or making unauthorised copies or backups.

Misuse of data is a GDPR breach

Now it’s important to say that I always prefer the term data misuse as it helps explain examples better, but the actual term under GDPR is ‘Data Breach’ and each of the examples above are considered Data Breaches. Data Breaches while a black and white – it either is or it isn’t, once it is data breaches are rated on a scale based upon the scale and amount of risk to rights and privacy they cause to the data subjects – It’s not your place as an employee or a manager unless otherwise designated or trained to decide if something is a breach or not or how severe if you ever suspect or know of a scenario that feels like a misuse of data (A data breach) you need to speak to your DPO or designated data protection lead and inform them straight away. Your company should have a policy and procedure that they’ve shared with you on how to report and act in the event of finding something like this. 

Look ahead for future problems

Finally, It’s your responsibility to look ahead. No one is expecting you to become the mater of data protection strategic foresight but if you can see an issue in the future that could cause misuse of data – unclear instructions, digital vulnerability, concern over policy or staff members then you need to bring it forward – you don’t have to have the answer (although that is always great) but you need to come forward. Whenever I’ve encountered misuse of data (Data breach) people always say to me ‘We could not have known’, ‘This was such a niche scenario that was unexpected’ and that just isn’t ever true. We tell ourselves that to make ourselves feel better but we all know if we sat down months ago and discussed through someone would know it, or worse someone would suggest checking. Your organisation may tolerate risk, they say the seeds of your destruction lay in the forests of your success but it’s your responsibility to protect data for your data subjects, to protect your organisation from fines and generally make sure you give the same care as you’d expect someone to look after your personal information (if not better care!)