Who is responsible
Data Protection is a responsibility of everyone to protect personal data of any individual part of a company or any other form of legal entity. Data Protection rules do not protect information related to the company itself. However information of one-person company can substitute personal data when that person can be identified.
A manager will always have additional responsibility to ensure that the managed processes protect personal data inline with the rights and principles found in tools like:
- Risk assessments templates;
- Data Protection assessments templates;
- Product/Service Customer assurance templates.
For any Personal information issues or Information security incidents, the data protection team must be informed straight away because any delays can make things even worst.
Imagine somebody who was able to see some unprotected login details (user and password) of a company member, for a company portal. If this security issue is discovered in time, the access for this specific user can and must be blocked immediately to avoid any damage an intruder can do into the company software.
When somebody unauthorized can accessed protected data, the result is names as a Data breach
A data breach can be when:
- an information is sent to the wrong person;
- somebody is losing an USB stick with unencrypted important information;
- or when a hacker is getting access into a computer company or database;
- responding to a data subject access request if the personal data is released to the wrong person or if someone else personal data was included into the same file.
When a data breach about personal is happening (depending on the severity and when this was discovered), a company can be required to report that to each affected individual and to the Data Protection authorities within 72 hours.
Data Protection Rules
When sending emails, a set of rules must be respected to comply with the Data Protection policies:
- When sending files with important data, these must be archived and protected with a password. The file and the password must not be sent within the same email. Is actually a lot better to sent the archive by email but the password by phone, message or in any other different way. In this way, is harder for someone else to intercept both resources and access protected data;
- When sending details about a person by email is very important to reduce as much as possible the details about this person if they are not needed. Data minimization is an important principle of Data Protection. If you need to tell a person name by email to someone else, don’t add his address or where he is working if this informations are not needed by the email receiver.
When working with personal data (especially when sending emails) is very important to plan ahead every process in relation to:
- The information is sent
- Who is receiving the information containing personal data
- and for what reason this information is sent
in case a person from the subject is exercising its rights.
The main purpose of Data Protection is to protect people and their rights.
Data Protection is mostly important for companies that are processing highly confidential information (related to taxes, accounts, decisional team of a company, etc) and the main reason of any company to comply with this rules must be not necessarily because of the very big fines that can be applied but more because is important to act responsibly and provide the best services without any risk for customers, clients, employee, etc.
An individual have the right to ask a company or any legal entity what personal information in relation to him it has and how is processed, including the right to withdraw it.
Tips about recording information (for individuals)
- ensure you have a lawful reason to record any sensitive personal data;
- check if you have a legal obligation to keep some data;
- stick to the rules;
- keep the information up-to-date and accurate;
- record only the data that is really needed;
- avoid to give personal opinions about a person, with the exception when is really needed;
- Avoid emails and other informal electronic communication channels where possible;
- Don’t send any personal information by email if you will never put this type of information on a postcard
- When writing about somebody, never use words that will embarrass anybody including the person you are writing about. Maybe in one day this person will have access to this email.
GDPR is the EU General Data Protection Regulation but it can be applied even to companies and organizations outside EU that target EU customers. To read more about GDPR have a look into the next article https://mybusinessknowledge.com/articles/gdpr-meaning-and-role/
SEO title and Description
Data Protection - about what data can be stored, why and how it will be used, the risks that ca appear when processing personal data and who is protecting it
Data Protection-about what data to store and how to use it responsible