GDPR – The role of HR in security
Can security be left to the IT department?
As you might imagine the answer is no. Employers and their advisors have spent considerable energy in the last few months reviewing what data they hold and updating their Data Protection Polices to satisfy the information requirements of the GDPR (i.e. setting out the purpose for which the data is processed and the lawful grounds for doing so, information on retention of data, transfers to other countries etc.).
If they have not already done so, now is the time to focus on the security of data and the role HR needs to play.
Not just technical solutions
Article 32 of GDPR requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The Information Commissioner’s Office (ICO) guidance on security has just been updated and is found here.
The ICO guidance lists the types of organisational measures a business should have in place and at the top of that list is a requirement for ‘co-ordination between key people in your organisation’. The example the ICO use is ’the security manager will need to know about commissioning and disposing of any IT equipment’.
Of particular relevance to employers is Article 32 4 which requires controllers and processors to take steps to ensure that anyone acting under their authority with access to personal data does not process that data unless they have been instructed to do so. It is therefore vital that staff understand the importance of protecting personal data, are familiar with a company’s security policy and put its procedures into practice.
The ICO’s guidance is clear that these steps include initial and refresher training for staff, including:
- The organisation’s responsibilities as a data controller or processor under the GDPR;
- Staff responsibilities for protecting personal data – including the possibility that they may commit criminal offences if they deliberately try to access or disclose data without authority;
- The proper procedures to identify callers;
- The dangers of people trying to obtain personal data by deception (e.g. by pretending to be the individual whom the data concerns, or enabling staff to recognise ‘phishing’ attacks), or by persuading staff to alter information when they should not do so; and
- Any restrictions the organisation place on the personal use of your systems by staff (e.g. to avoid virus infection or spam).
For further information on how we can help you with GDPR, please contact us. The team at ELiAction can provide the HR support you need. Call 01494 817193 or visit: HR Support