GDPR Action Plan - Fighting daily compliance breaches
When it comes to GDPR, awareness and compliance are closely linked. But there are a lot of myths and misinformation out there with respect to GDPR. The European Commission thought it was so important they published this cool factsheet. And that’s a big part of why we developed the GDPR Action Plan Wall Chart - to help build GDPR awareness in your organization. Any way you slice it, raising staff awareness about the GDPR is important. And that’s not a myth. In that spirit, here are a few compliance breaches you or your colleagues might be committing on a daily basis that could put your organization’s compliance at risk.
Forwarding email with PII without permission
To be GDPR compliant, it’s important to think twice before forwarding an email. If it contains personal information, it shouldn’t be forwarded to a colleague without the original sender’s permission. For example, forwarding a resume to get a second opinion on a candidate, or a client’s request to ensure it is followed up on. These daily actions, even if performed with the best intentions only, are in breach of GDPR. (Art. 6)
Forgetting to encrypt emails with PII
When replying to email messages containing personal information, especially if it’s classified as sensitive, encryption is a must, even if it’s time consuming or annoying. If email encryption isn’t seamless in your organization, training your staff on how to enable it is vital. Encryption is just one of the basic security measures that should be in place to secure personal information. (Art. 32)
Gossiping about medical conditions
When someone calls in sick or takes medical leave from work, only share that the person in question isn’t feeling well. Stay light on the details. Details about medical conditions fall under the private health information category, and shouldn’t be shared without explicit consent. Of course, your sick colleague would need to be an EU citizen to make gossiping about his/her health situation an issue, but still. Since privacy regulations everywhere else in the world are taking their cues from GDPR, adopting the GDPR mindset early on can’t hurt. (Art. 9)
Being sentimental about old data can get you in trouble. Any information that isn’t useful anymore or that doesn’t serve the purpose it was collected for anymore, has to be deleted. No exceptions! Your organization should have systems in place to manage the lifecycle of information on common storage locations. But what about your workstation? If you happen to have Word, Excel, or any other type of file containing personal or sensitive information that no longer serves the purpose it was collected for, it’s time for a purge. (Art.5, Recital 39, more info here)
Be the Change!
If you followed our whole blog series on GDPR, (If you didn’t, you can start with the first post here), you might have thought of other ways GDPR can affect everyday work life. Have you and your colleagues changed the way you’ve worked since May 15th, 2018? If you think there’s still a long journey ahead for your organization, why not build awareness by sharing this post across your organization and uploading our GDPR Wall Chart, which is both easy on the eyes and educational? It takes a minute, and a small initiative like this can help get the ball rolling.