Accountability post COVID19

When the initial panic of lockdown receded, we started to prompt clients to undertake a few data protection compliance checks. In particular to catch up with employees working from home and ask a few key questions about the data protection risks they were identifying in their home offices.

The results were interesting. Almost as an aside, we asked whether colleagues had completed their data protection training within the last twelve months. The responses surprisingly highlighted the fact that some managers override routine training on the basis that the department is too busy and training should therefore be a lower priority. Whether there was any intention to return to the training programme in due course or not, was not clear. But what was clear was that Training and Compliance teams think that data protection training (and Health & Safety) has been successfully rolled out and completed. Without a further check the evidence shows that roll out is not the same as completion. This was exactly the kind of mis-match between what we think is happening and what is really happening that compliance checks should identify.

As regards the data protection risks that colleagues identified in their home offices, there was an overriding truth. The colleagues with good home office facilities, by which we mean a company pc or laptop, printer, shredder, lockable cabinet, felt that the risks were minimised and managed. Colleagues without good home office facilities felt less comfortable, particularly the ones working from the kitchen table where telephone conversations could be overheard, screens overlooked and paperwork viewed by family and visiting friends.

The responses to the lockdown review also showed that colleagues were fully aware of the data protection risks when working from home. Their discomfort about not having the facilities they needed to ensure confidentiality for personal data as they worked was clear and they were prepared to do their part to protect data. It was also clear that they need support and look to their employer to at least meet them half way by providing policies and procedures and home office kit.

None of this is rocket science, not the compliance checks nor the findings. But it is a part of meeting the Accountability principle. It is not sufficient to put controls in place and assume that they are working in practice. Carry out the checks and then let the findings inform future activity, use of resources and further checking. This is the “bread and butter” work of compliance. If your organisation needs support carrying out these kinds of checks, get in touch.

Mandy P Webster, Data Protection Consultant

About the Author: mandy.webster

Since June 1999 Mandy Webster has been a freelance consultant offering audit, advice and training on privacy, information security and e-commerce issues as Data Protection Consulting Limited. The company’s mission is to help clients from a variety of sectors, and of all sizes, comply with data protection law and to that end it offers a range of solutions. Mandy, a qualified lawyer, is author of ‘Data Protection for the HR Manager’ and ‘Data Protection in the Financial Services Industry’ published by Gower and “Effective Data Protection” and ‘The ICSA Data Protection Troubleshooter’ published by ICSA Publishing Limited. Mandy is a well-known writer, commentator and speaker on data protection.

Accountability post COVID19

HIV Charity fined for bulk email errors

Top tips for evidencing compliance

How to be a Compliance Auditor

Top Data Protection Compliance Tips

Article 30 records and Privacy Notices

Accountability post COVID19