The cyber-attacks on the NHS are a shuddering wake-up call for all of us – yet it is only the tip of the iceberg when it comes to threats to business.
Here’s a terrifying case where the managing director of a prominent Scottish company (we’ll call him “the boss”) has to face up to a very difficult decision that was not of his making.
He is a wise and honourable business figure and always attempts to do the proper thing. Yet, unintentionally, he and one of his employees faced the prospect of going to jail for breaking the law under impending EU regulations. It was the result of an employee unwittingly breaching data protection rules.
He faced a critical moment, and, with imminent European Union legislation on its way, these moments could become more arduous for managers, who need to understand the consequences of data protection legislation.
For any organisation that holds personal details about its customers, employees, or partners, the world will change in less than a year. New EU legislation will impose stricter obligations on companies and will introduce huge penalties. The General Data Protection Regulation (GDPR) and the Network and Information Security Directive (‘NIS Directive’, also known as the Cyber Directive) will both apply from May 2018. The GDPR is designed to give the residents of Europe more protection for their personal data and ensure greater confidence, while NIS is focused on ensuring confidence in civic services that have a digital dependency. This will have an impact on the NHS which holds patient files.
It doesn’t matter whether we are Brexit or not, if your firm holds any data about a European individual, such as a Polish-born worker living in the UK, then you are liable. As a leader of a UK firm, you cannot ignore this. You must take full notice as this legislation requires companies to be able to show compliance. Failing to do so may result in penalties of up to €20 million or 4% of global turnover. It could be very tough on reckless firms.
What caused this boss such a massive headache? An employee in his IT department, let’s call his business ‘Company A’, was exchanging some coding information on how to perform a particular technical function with a friend in Company B. This is routine stuff that goes on all the time. By accident, the employee from Company B sent in all of its confidential log-in information and documentation for public procurement to Company A. One of Company A’s team opened the file, took a look at the information, and could see this included personal data. Realising this was a serious issue, he reported the incident to the boss, who did the honorable thing. He alerted Company B about the breach, which was stopped immediately. Company B thanked A for letting them know about this. A decent thing to do and the end of the story. Unfortunately not, the guys from Company A had committed a criminal act in accessing this unauthorised information. And that meant the boss is held responsible.
Under the GDPR regulations, Company B must might notify the relevant authorities, and sometimes the individuals themselves, that their data has been breached. They could potentially face a stiff fine unless they declare the breach to relevant authorities within 72 hours. There will always be people who will not follow the procedures and make a mistake. There will be a requirement for your business to plan, check, and act with respect to the processing of personal data. Your first step will be to identify the personal data being processed across your business.
What can you do? In terms of employment law, you need to create a culture where notification of accidental violations and incidents is rewarded. Most importantly, you need to communicate the significance of this new legislation to all your employees. Share your concerns with them and make them aware of the consequences. It will ensure they feel that they are being taken seriously as employees, which can only improve creativity, loyalty and productivity.
These and other cyber security issues will be the subject of a United Employment Lawyers symposium to be held in Edinburgh’s Signet Library (pictured above) on Friday 16 June. In view of the importance of the subject matter it has been decided to open up the morning session between 10.00 am and 2 pm to non-UEL members. This is likely to be of interest to solicitors, advocates, HR professionals, company directors and in house lawyers. Speakers include:
Anyone wishing further information should email: