GDPR

Question 1

Outline the ways in which an organisation meets the requirements of the Data Protection Act (20)

Answer 1

 Organisations should be registered with the government as a data user
 Ensure visitors have limited physical access to where data is held
 Ensure staff question people who they do not recognise
 Keep cabinets with sensitive data locked at all times
 Only certain people having access to data/hierarchical system
 Give someone responsibility to ensure cabinets are locked when the office closes
 Ensure people are situated next to the filing cabinets, so that if there is any inappropriate activity with the data, staff should notice
 Keep a record of who accesses files/cabinets
 Securely destroy (ie shred) data that is no longer needed or relevant
 Regular data check by the organisation asking the data subject to ensure that accurate information is held
 Look through files on a regular basis and decide if information needs to be retained
 Someone should be responsible for regularly monitoring data held
 The minimum amount of information required for the transaction/ situation should be gathered
 Forms should only ask essential information
 Ensure there is a privacy notice on your website telling customers what you will do with their data
 Set out steps of how people can access their information/through a Subject Access Request (SAR) for example
 Permission is asked for the information (opt in/out) to be shared or used for another purpose
 If data is to be transferred outside the EU specific permission must be sought
 Staff are trained in the principles of data protection
 Member of staff appointed to ensure that organisation complies with legislation

Question 2

What are the strategies that should be covered at a staff meeting to ensure compliance with the General Data Protection Regulation (GDPR) (7).

Answer 2

• Staff should not repeat confidential data/information when talking on the phone to customers, ask customer to repeat the numbers
• Staff should take time between customers to tidy away documents
• Any notes taken should be destroyed
• Papers with customer information should be filed when not in use
• Locked filing cabinets for storage of customer files
• Ensure back-up copies are being made/kept
• Customers should not be able to view screens by using any of the following;
o minimised
o screens should be switched off
o locked if staff member moves away from desk
o use of screensavers
o privacy screens which can only be viewed from one angle

Question 3

What are the consequences of breaching Data protection laws for a company? (6)

Answer 3

• May attract unwanted media attention
• Company reputation may be damaged
o Loss of new customers/sales/income
o Existing customers may switch to a rival
o Difficult to attract high quality candidates in the recruitment process
• Reported to the Information Commissioner
• Faces costly legal action/fines/sanctions
• May have to pay compensation
• May close down or be closed down

Question 4

What are the consequences of breaching Data protection laws for an employee? (7)

Answer 4

 Dismissed/contract terminated for misconduct
 A poor reference could make it difficult to get a new job
 Lack of income may result in financial hardship
 Demoted by removing responsibility
 Receive a formal verbal/written warning held on record
 May harm a customer indirectly by misusing information
 Leading to stress/guilt/demotivation