Plutarch said it, so it must be true. “What is this?”, I hear you cry. “Have I stumbled upon some new age contemplative dribble when I was looking for sound advice on cyber-security?”. Well, no. Firstly, Plutarch is hardly new-age and secondly that’s all the philosophy you’re getting.
This post is actually about Morrisons. There: sublime to ridiculous in one sentence. A High Court judge has just ruled that Morrisons shares responsibility for a 2014 data breach involving the disclosure of payroll data on 100,000 employees; that data included most of what you need to carry out an effective ID theft, so it genuinely was a big deal. The actual breach was deliberate, conducted by a disgruntled employee, and the logic here is that Morrisons should have done more to prevent it.
Why do we care? Because everyone who’s looking at GDPR is looking outward: they’re focused on consumer data – customers and marketing prospects. And in one sense they’re right, because they likely have more of it, and GDPR and ePrivacy make significant changes to how that data may be handled.
But it would be a big mistake to forget about your internal data – the information you hold about staff – present and former – and employment candidates. They’re still natural people and have very strong rights to privacy and data protection. Worse still, you tend to collect much more sensitive information about them.
I’m not just talking about financial and identity data – although that matters. I’m seeing a lot of clients who are collecting ethnicity, sexuality, religion, gender identity and so forth as part of a well-intentioned equal opportunities policy. They mean well, but often execute badly. That kind of data is specifically given extra protection in the GDPR (wonks like me call it Article 9 Special Category data), and processing it is explicitly prohibited without very specific justifications and is subject to additional security requirements.
This is not news. The same protections were afforded to this data in the 1998 Data Protection Act, and the ICO has a couple of very useful publications (here and here) that explain exactly what you should, and should not, be doing. Read them. Comply with them. Then not only will you be better placed for GDPR, you’ll also no longer be breaking a law that celebrated its 19th anniversary this year.