Though we’re expected to leave the European Union in the next few years, the nation will still be subject to some EU laws and guidelines: the General Data Protection Regulation (GDPR) – which governs the use of personal information inside and outside the bloc – comes into force on 25 May 2018, and the current culture secretary Karen Bradley has confirmed that the UK will opt into it.
Does this matter for training professionals? In a word: yes. It doesn’t matter if you’re working for a small consultancy or a FTSE corporation: you need to think about data protection in your organisation. Protecting customer data is about much more than ensuring your antivirus software is up to date or shredding the right documents at the right time. It’s crucial that a business embeds a philosophy of data protection learning and development into its culture, to avoid massive fines and lost business.
Fines and charges
The introduction of the GDPR has empowered the Information Commissioner's Office (ICO). The body can now charge up to 20 million euros, or four percent of the organisation’s annual international turnover in the event of a major data breach.
However, more common penalties incurred by companies with poor data protection practices include fines for businesses with substandard recordkeeping practices. For example, if HMRC visits a business twice and find evidence that documents have been removed or destroyed, ot could face an initial fine of £500 – or £250 for companies in their first year of trading. If they find that a business has destroyed documents purposefully, this fine can increase to £1,500 - £3,000.
If your company is particularly cashflow sensitive, these fines can be devastating. More worrying, however, are the penalties administered by the aforementioned ICO. Breaches of the Data Protection Act 1998 (DPA) already allow the ICO to levy fines of up to £500,000, and when necessary, it will exercise this power. The NHS, for example, was charged £325,000 in 2012 after 79,000 records on hard drives appeared on eBay.
So how do you make your organisation better at data protection? In short, don’t be dazzled by digital.
Often the focus of data protection falls on electronic records. For example, the UK's Information Commissioner, Elizabeth Denham, recently recommended at a Parliamentary meeting to discuss the draft Digital Economy Bill, that the government should hold company directors personally liable for electronic data breaches. This was widely reported and well publicised, but often breaches in data protection can be far more basic. Failures in understanding what should and shouldn’t be kept for example, and how long it needs to be kept for, need to be embedded in an organisation to ensure basic data protection.
Stay up to date
We often find PAs and office managers serve as the gatekeepers to a company’s most sensitive records. Unfortunately it doesn’t matter how diligent these individuals are – they won’t be well-versed in data retention and destruction laws, and because there isn’t a central repository for regulation and legislation information, or any continuing professional development on the subject, it’s hard for them to stay up to date.
Legislation a business needs to stay on top of for example might include the Data Protection Act 1998, the Financial Services Act 1986, the VAT Act 1994 and the FOI Act 2000.
The Data Protection Act is perhaps the most prominent of these: it has implications for every kind of business. It governs the collection and processing of individual data – the idea being that it gives people the right to control information about themselves. The act itself says nothing about retention periods, but it does specify that data must “not be kept for any longer than is necessary” for the company’s purposes.
For guidance as to specific retention periods, it’s necessary to consult other regulations. For example, the Limitation Act 1980 imposes six-year retention periods on companies that keep documents such as personnel records and alterations to their terms and conditions. Hold on to a document for too long and you’ll run into trouble. Even items as seemingly mundane as company minutes need to be kept for ten years after the date of their creation.
Training professionals have an important role to play in ensuring that each department in their company knows what data protection legislation is relevant to them, and is regularly reviewing it, to remain compliant, before working with colleagues responsible for ensuring proper retention policies are adhered to. It’s about mentality and responsibility – your staff will inevitably look to you for guidance and best practice – whether your records are digital or physical.