Photo Credit: Brenda Anderson via Compfight cc
According to EU Data Protection Legislation companies processing personal data must implement appropriate technical and organisational measures to guarantee their security, confidentiality, continuity and integrity.
But an effective privacy and security programme must be specially designed for each company or business. As a general rule there is no one fits-all solution.
Privacy and security policies should be tailor made, taking into consideration multiple factors such as:
- Business sector,
- Type of data processed,
- The company’s vision of privacy and security,
- Purposes and means of the processing,
- Size of the company
- Computer network,
- Cross-border data flows
- Employee’s profiles,
If we have a Privacy and Security programme specially designed according to our particular characteristics, not only will this cover our needs and make the implementation procedure easier and durable but it willalso provide other benefits such as enhancing the organization, enhancing employees’ commitment and generating/creating trust among clients.
I recently visited a company that was worried about internal data processing as they recently suffered an unauthorized use of data by a former employee who kept unauthorized copies of the company’s clients data and tried to compete unfairly.
The company handled personal data of their employees, clients and providers. In this case they were especially worried about their client’s data, but as they were companies and not individuals, their information was not considered to be “Personal data” and therefore Data Protection legislation was not applicable. Even if employees had signed a confidentiality clause, legally this would not be enough to avoid an unauthorised use of this data. In Spain and other EU countries, to avoid disloyal competition by employees, companies should sign a non-competition agreement and pay a bonus both during and after the contractual relationship.
Accordingly, in this case, some of the recommendations were:
- To improve their current computer network in order to strengthen the access controls and user privileges. E.g. hampering the possibility to making unauthorised copies, blocking the use of personal devices or data storages, email/internet filtering, etc.
- All employees should sign the privacy and security policy in order to make them aware of the monitoring activities, their rights and obligations and the consequences of data breaches.
- Evaluate which employees should sign a non-competition agreement.
A different scenario was a health centre that processed personal health information of its patients and some of their therapists were subcontracted. The problem was not unfair competition but a risk of data leakage as each therapist was freely using his or her own device(s) to process personal data. In addition, with regards to health data there is specific legislation applicable to processing, rights of individuals, organization, storage, etc.
In this case, some recommendations were:
- Establish a uniform protocol to process the patient’s data and store them in a centralized filing system according to the specific health legislation.
- Implement a strict BYOD policy.
- Training programs for employees and subcontracted therapists in order to raise awareness about privacy issues.
- Sign a written contract between the data controller (health centre) and each data processor (subcontracted therapists) specifying thepurposes and means of the processing, rights and obligations of both parties with serious consequences in case of breach.
This analogy is also available in the following alternative languages.