"Christmas Time, Data Protection Time"
Hold on – those aren’t the words, are they?
While I am no Grinch and do not wish to spoil the time of year we all look forward to the most, the festive period is typically when data protection, like most things, takes a backseat and our minds are on presents, food and what to watch on TV.
But you ignore data protection at your peril. Make sure that it is Santa Claus – and not the Information Commissioner – who comes to town, by taking these steps:
employee levels can be low because holidays need to be used up before they are replenished in January. Employees with data protection expertise might be out of the office and no one else can help with those difficult “can we do this?” queries. Address this by training several employees in data protection to ensure you are not left out in the cold;
in the spirit of goodwill, some choose to give something back by volunteering. Depending on what volunteers do, they may have access to personal data held by your organisation. Even if they are only with you for a few days or weeks, volunteers should be data protection trained to reduce the likelihood of data security breach incidents, such as loss or unauthorised use of personal data. If volunteers are children, ensure that you have parental consent to using their personal data for volunteering purposes;
organisations increasingly allow flexible working, whereby employees can work remotely from home during school holidays. This is not without its risks and entrusts your organisation’s data security to the measures, if any, that employees have in place on their home network and personal devices. Implement a remote working policy, only permit data transportation via encrypted memory sticks and ensure that employee devices can be “remote wiped” if compromised;
your organisation may decide to upload photographs captured during the Christmas party to its publicly accessible social media accounts. If so, obtain the consent of those whose photographs have been uploaded. Consent need not be written but at least record the fact of consent by way of audit trail;
electronic greetings cards are becoming increasingly common because of their environmental friendly nature. When sending them to multiple recipients, use your e-mail client’s “bcc” function to avoid disclosing recipients’ e-mail addresses to all;
if hosting a fundraising event, ensure you have the invitees’ consent to sending them electronic invitations. Failure to do so could breach the Privacy and Electronic Communications Regulations;
if your organisation is closed for two weeks, consider how effective your physical and electronic security is in case the worst happens. Ensure paper files and portable media containing personal data are locked away and computers secured with strong alphanumeric passwords;
if you receive a subject access request before you close, you must respond within forty calendar days. Once your organisation re-opens in January, beware that you may already have lost up to sixteen days; and
2018 brings with it new data protection laws. When making your Christmas list, also make a list of what you need to do in 2017 to ready yourself for the new EU General Data Protection Regulation.
Take these steps today and have a peaceful and data protected Christmas!