Since the introduction of GDPR last year, the way in which businesses and their employees handle sensitive information has come under intense scrutiny.
Across industries, companies of all sizes have had to review processes and educate employees to ensure they are compliant with the new data protection regulations, which has impacted all areas of business, from marketing and PR activities through to HR, operations and finance.
Make no mistake, the potential consequences of mishandling data in the workplace are severe. Serious data breaches can lead to heavy financial losses for a company and legal proceedings, and for employees found to have mishandled sensitive information, they may face fines, or even job losses.
And yet, research suggests that across the country millions of workers are being slack with sensitive company information, putting themselves – and the businesses they work for – at risk of a data breach.
To put this in perspective, according to a recent survey we commissioned at Shred-it, nearly a fifth of office workers in the UK admit to making a catastrophic error at work by leaving sensitive information lying around or losing something important.
The research revealed that of those workers who had mishandled sensitive information in the office, over 55 per cent admit that their company had consequently lost money or customers.
Furthermore, as a result of a mistake at work which led to a security concern, 40 per cent have had to go through a disciplinary process, 38 per cent have had to pay towards some or all of the cost of the lost information, and a staggering 23 per cent have even lost their job.
These results suggest that SMEs need to take a far more proactive approach to data protection.
So, what can businesses do?
First things first. Business leaders must stay up-to-date with privacy laws and understand what action – if any – they need to take to comply – particularly post-Brexit. The Information Commissioner’s Office website provides clear guidance on this.
It’s also important to remember that data protection refers to both digital information, as well as paper records.
For digital data, companies can take simple steps to ensure they comply with GDPR, including setting secure usernames, passwords and PINs for all devices, installing anti-virus software and a firewall on hard drives, avoiding posting confidential information on social media, avoiding the sharing of files on public Wi-Fi, and avoiding opening files or links from an unknown sender.
As with digital data, companies should also have strict internal procedures in place to deal with the protection of their confidential information. Important documents containing personal information left on printers, desks and in bins are also a compliance risk. Inadequate long-term storage of paper documents, such as archives with unrestricted access, are a key point of vulnerability.
Best practice should include providing locked confidential information consoles that are easily accessible and introducing clean desk policies for everyone to follow in the company.
Businesses should also arrange for the secure destruction of documents after use or after prescribed periods of mandated storage, keeping only digital copies of essential files in an encrypted format.
However, above all else, businesses must have a strict policy on data protection that is communicated clearly across the organisation and updated whenever necessary, in order to avoid a potential breach and the disastrous repercussions that may follow.
Ian Osborne is Vice President for UK & Ireland at Shred-it, the information security specialist.