I don’t know about you, but every day I open emails and articles about data security and our obligations in business. It’s feeling a little overwhelming, but on closer inspection, most of the conversation is pretty sensible.
The headlines have been the data breach legislation in Australia and the GDPR in the European Union. That resulted in a swath of updates to business terms and conditions, and its something we will all have to think about as well. It’s not an IT issue, it is a business issue. I can’t think of any businesses that don’t hold some personal data about people that needs to be respected. At the least it would be names and phone numbers of staff, suppliers and frequent customers. Many businesses have more, subject to what they do.
We all have a responsibility to manage this respectfully. While most of us do, there will be a few businesses that are dismissive of their obligations. That could be very expensive! Under GDPR, in the EU, business can’t afford to be dismissive. The penalties are horrendous : up to $20,000,000 euros or 4% of global turnover.
[header2 text=”So, what do you do?” align=”left” color=”#336A40″ margintop=””]
1. Audit – Check : do you what personal information do you hold, and why? This can range anywhere from names and addresses to financial and medical records. If you hold information you don’t need, then stop keeping it!
2. Permission – do you have permission to hold it? If you need to hold data to undertake a service for the client, make sure you have their permission and make sure you only use it for the stated purpose. The individual has the right to ask to see the data you hold about them and to correct it.
3. Right to be forgotten – this is difficult. It reflects the idea that once you no longer need someone’s data, as the purpose that you gathered it for no longer requires it, then the person can ask you to ‘forget’ them. Essentially, they revoke their consent for you to hold their information. You are obliged to erase this as soon as possible! If you need their data for your own compliance – tax records being a good example – then you can anonymise it. In theory this extends to deleting their data from your backups as well, but we know of no practical means to do this.
4. In the event of a breach – you have to notify the authorities and affected parties ‘without delay’. Unfortunately, despite our combined best efforts, this is probably more a question of when not if. To help make that less likely Kinetics is currently introducing a new enhanced security service.
This is intended to be an ongoing compliance obligation – like ISO9000 was and health and safety is. In fact that’s a great comparison. Just as we need to keep people physically safe, we also need to keep their data safe – these are intertwined ideas.
By and large, this seems sensible and much of it has been law in NZ since the Privacy Act 1993. There is a bill currently before parliament that updates this. It proposes adding mandatory data breach notifications and strengthening the power of the Privacy Commissioner. The objectives and principles seem sensible, and it is a handy reminder of our collective responsibility.
[header2 text=”How can we help you comply?” align=”left” color=”#336A40″ margintop=””]
The [wow_colorme]Kinetics “FlightPlan” toolkit[/wow_colorme] has been updated to add a data privacy section that works through these items with you. Call your account manager or get in contact to make an appointment