Companies are still making avoidable compliance mistakes: 7 things you need to know about data privacy.
Data privacy regulations have been in place for many years, yet organisations regularly fall foul of straightforward data privacy requirements – sometimes accidentally, and more often through negligence. In this article, we cover simple steps to avoid making common privacy mistakes, from lack of transparency to ‘failure to redact’.
1. What is data privacy?
Data privacy refers to the protection of personal information collected and/or stored by companies. Specifically, any details that would reveal the identity of an individual or individuals must be kept securely and must not be shared.
Most breaches that attract publicity relate to highly sensitive data such as financial information and medical records. However, any and all data that could lead to someone’s identity being revealed without their permission constitutes a breach of an individual’s privacy rights.
Data can take the form of text, documents, images, audio and video.
2. What data privacy regulations are there?
The majority of countries around the world have established data privacy regulations. In fact, more than 70% have regulations in place.
One of the most familiar regulatory terms is Personal Identifiable Information (PII) which is the term used to described private information in the USA, and is defined as:
“Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.”
The fact that there are many countries and regions with regulations that differ slightly means that organisations that operate internationally have to be aware of multiple regulations in order to operate compliantly.
Global data privacy compliance means following the rules and regulations of each country you do business in.
In this article we will concentrate on UK GDPR, which is explained, monitored and enforced by the Information Commissioner’s Office (ICO).
3. Tell people that you are collecting data
An aspect of compliance that is easy to overlook is that you must tell people that you are collecting data. For example, customers or members of the public must be told explicitly what data you collect, no matter what type of organisation you are, for example, a retailer, public authority, school, or charity.
In the case of CCTV cameras, it must be made clear that cameras are in operation. There are, however, some controversial circumstances when covert surveillance is undertaken when fraud is suspected, which we wrote about in a recent blog [ add link]
The important point to note is that you must be totally clear with people about the fact that you are collecting data, whether it is in a bricks and mortar environment where signage should be in place, or an online environment where policies should be available to view. Also note, that employers should be clear to staff about what data is collected, or there will be consequences if the employer were ever challenged about its data practices.
4. Tell people why you are collecting data and what you will do with it
There are numerous positive reasons to collect data. Monitoring people and analysing trends are important to promote health and safety, for example by measuring building occupancy or visitor flow at busy locations such as train stations. Businesses will hold data on staff in order to prove their ‘right to work’, to pay them, and to inform someone in the event of illness or an accident.
Even if the reason for data collection is both reasonable and obvious, it must be made clear to people why data is being collected, how it will be stored and used, and how long it will be kept for.
Consider it best practice when alerting people to data collection to provide contact details for your organisation and the name of your Data Protection Officer, if you have one.
Transparency and engagement are key to maintaining good relations with those whose data you hold.
5. Training, training, training … keep staff current
When you have published comprehensive policies, it is too easy to think that you have all the compliance bases covered. However, things change. The staff who were in charge of data privacy management may have moved on. Are your new recruits familiar with the expectations and privacy practices of your business?
Human error, rather than malice, accounts for many data breaches. For staff handling sensitive data, top-up training and regular policy reminders are considered good practice to ensure that oversights do not lead to compliance errors.
The ICO places special emphasis on the importance of proper compliance training. We covered in another article how the ICO recently reprimanded a not-for-profit organisation for not having adequate compliance training and orientation in place.
6. Stay up to date with the latest privacy cases
Keep up with the latest data privacy cases as they can help you learn from others’ mistakes.
The ICO’s round-up of data breaches (2022) cites instances of breaches resulting from a wide variety of privacy failures, including cyber breaches, misdirected emails, insecure storage, failure to redact, unauthorised access, and verbal disclosure.
Keep yourself informed to reduce the risk of sizeable fines and reputational damage to your business.
7. Take special care when sharing data
In the ICO’s records of data breaches there are hundreds of breaches associated with avoidable errors.
Human error usually lies behind information being posted or emailed to the incorrect recipient. The results can be disastrous for the individual and the company involved, as was the case with recent NHS communication errors.
If there is a breach through unauthorised access, someone either does not know their level of responsibility or a manager has failed to put the appropriate permissions in place.
The hundreds of breaches owing to ‘failures to redact’ result from several avoidable causes: including reckless disregard for regulations, and a lack of technical understanding.
In the case of document redaction, compliance professionals have to be aware of the potential for content to be un-redacted and revealed. Metadata introduces the potential for simple redaction-reversal. This is an avoidable mistake as it is straightforward to remove sensitive data from documents entirely, rather than simply to mask it.
The causes of ‘failure to redact’ breaches involving video tend to result directly from an organisation’s sloppy attitude to risk.
Data professionals simply cannot take a ‘wait and see’ attitude to data privacy. Once there is a data breach, the damage is done and is irreversible. Failing to redact, undertaking amateur redaction, or allowing video to go outside your own secure environment, are all high-risk approaches.
More so than with documents, too many businesses are prepared to wait until their video data privacy protocols are challenged and found wanting.
Progressive companies invest in fast, automated, 100% reliable redaction software that enables them to manage data privacy fully in-house and meet data subject access request deadlines comfortably. To find out how our software automatically redacts high volumes of document and video files, get in touch.
