Are your employees handling your data responsibly?

Your business data is one of the most valuable assets you possess.

You know this and so do others, which is why you take steps to keep your data safe and secure.

But have you thought about the vulnerabilities to your business that can be created by the behaviours and attitudes of your employees?

Data is created at an astonishing rate.

The estimated daily volume of newly created data is more unfathomable today than it was yesterday, and it will be outdated by tomorrow.

This is a problem for every business because employees create data every day.

People also read data; they interpret it; they share it; they store it; they manipulate it; they delete it; and so on.

Data can be widely used and misused.

As employers, it’s becoming increasingly important that we get a handle on the data to which our employees (and other workers among our staff) have access, and that we fully understand what they are doing with it, and regardless of whether their handling of it is legitimate and in good faith, where our data vulnerabilities arise.

What are the risks?

So, when we talk about data risks relating to employees, what sorts of risk are we talking about?

The way that your employees handle your data is increasingly important because data incidents, such as thefts of information or data breaches are now more commonplace and the way that we use data is becoming more regulated.

There are two types of risk, and everyone needs to take both of them seriously.

1. The commercial risks

Confidential know-how, like customer records, strategic business plans, technical designs or data describing components for novel solutions, are among the most desirable forms of data that may be targeted for export.

Often, they’re targeted by people very well known to you, for example, employees leaving to set up new ventures or to join competitors who are looking to gain the advantage by poaching both your talent, and what they can lay their hands on.

The more established and successful you become, the greater the risk that your data may also be targeted by criminals who wish to use it for financial gain, for example, through counterfeiting operations or others who are engaged in ‘industrial espionage’ – which is just a very grand term for them simply spying on your business in order to steal its secrets and either duplicate or hold you to ransom over them.

And that’s before you get to any potentially embarrassing emails, instant messages, pictures or other data, which might also be targeted by people whose motivations may not always be correctly, or legitimately, founded.

All of these types of incident are serious, more common than many of us might imagine, and they can be highly damaging to your brand, your business, your reputation as a competent management, and the trust invested by your customers, partners and investors.

2. The non-compliance risks (breaking the law)

As well as a moral and a commercial responsibility to protect your data, you are also required by law to behave responsibly.

Not properly protecting your business secrets and your operations could, in certain cases, be considered a breach of the legal obligations that directors owe to their business.

That kind of finding may invalidate your insurance cover and even remove the usual protections that a limited company structure provides, causing directors instead to be held personally liable, on an unlimited basis, for the damage that is caused.

Not ensuring the safe keeping of personal data and avoiding data breaches can have serious consequences too under Ireland’s data protection laws.

If you are not on top of these rules you could end up with a hefty fine.

There are legal rules about what data we must create, keep, share and destroy.

It is all too easy to be a victim to those rules and to face penalty because of your own actions, or those of your employees.

To be data-smart, and well protected, you need to have rules of your own; ones which are proportionate and that make sense for the kind of business you have, and the risks to which you may be exposed.

And you’ll need to make sure that you’ve got in place sensible systems and processes to give these rules maximum success in protecting you.

What can employers do to get a better handle on those risks and ensure we stay compliant?

You need to put in place those rules.

Your employees will need proper guidance (and tools) to know:

1. How (and when) to create documents

When you are creating documents, be on your guard.

Remember it’s not just about your word-processed documents and spreadsheets.

A document is anything that is recorded, so at the point of creation, imagine that you will have to show every email, text message, photograph, note, presentation, web page, social media post, video or voicemail to a judge or a journalist.

If it has the potential to be misunderstood or to embarrass or cause any other type of trouble, then you should exercise caution.

2. What information they should create, access, share and store

Exercise similar caution when assessing information that is available to your employees.

Having general rules in place that require your staff to:

• only use information obtained legally, from a trusted source, and
• if the information contains personal data, to cross check that they have express consent (or another exceptional reason, recognised by Irish law), to access and use it

can help you to direct them and you away from unwanted trouble.

3. What information they should not create, access, share or store

Conversely, having clear rules that prohibit the use of risky resources (such as the dark web) will help you to keep your business safe from cyber-attacks.

These rules have the added benefit that you can discipline your staff if they are found to have breached the rules.

4. How and where information must be stored

There are times when you will need to access your business data quickly and the easier you can do this, the better.

You might need to do this, for example, if an individual requests sight of their personal data that you’re holding, or if a court, regulator or other body requires you to disclose materials in your possession.

You might need to retrieve substantial data because you’re taking on investment or loan finance, undergoing a procurement process with a major customer, restructuring your business, or selling it to someone who will want to review your operations to understand whether it presents any unacceptable risks, etc.

Every document created in your business must be accessible to you and stored in a way that achieves the aim of rapid retrieval, by appropriate staff, with minimum fuss.

It’s also good contingency planning to ensure that more than one suitable member of staff can access material belonging to your business.

If, for whatever reason, you need to search your documents, and if this is not easy to do, it may become a distraction that you cannot afford – especially if you have to engage a third party to do it for you.

5. How information must be moved (if it is necessary to do so)

In the same way that gold is moved by armoured guards, make sure that your data is protected during transit.

In these circumstances, your armour-plating is the way that you package your data up for transmission.

Make sure it is adequately encrypted.

Only use transmission and encryption methods/ solutions that are recognised as lawful and secure within Ireland – especially where personal data is being transferred.

Servers and tools provided by non-Ireland-based businesses should be carefully reviewed, to ensure that they are legally compatible with the Irish rules.

And make sure you have secure back-up in the event that a main system fails.

6. With whom information may be shared

It’s wise to categorise the data that you’re sharing on a daily basis.

Make sure your staff know what they can share with the public and what they must only share internally, as well as any variations on these (for example, more may be shared among senior management than the wider staff).

When it comes to disclosures of important data to others, having a non-disclosure agreement (NDA) is a very sensible tool for providing a framework to share more sensitive information on a limited basis.

And while they’re not bulletproof, NDAs are generally effective at reminding people to act in good faith and with integrity when you share confidential information with them.

Make sure you include indemnity and liability clauses that set penalties for disclosure at sufficiently demotivating levels too – these can be particularly good at reminding people not to break your confidence.

7. How long information should be kept for

Too much data can slow you down, make you less agile and expose your business to unpleasant health risks.

Make sure you understand the minimum lawful term for which you must keep certain classes of data.

Ensure that your storage arrangements are managed in a way that enables you to securely and lawfully delete data when it is no longer required.

8. What to do when someone in authority asks for copies of documents

Do not panic when someone in authority requests documents.

This could be a regulator or a court.

Work through the request systematically and thoroughly.

You will be expected to be honest and transparent in your response.

However, it’s highly recommended that you take advice, to ensure that you’re interpreting the scope of any such request correctly, and not too broadly – to include everything possible – or too narrowly.

9. There should be a legitimate purpose for keeping and using certain types of data (especially personal data)

The rules relating to data privacy require you to keep information about individuals safe.

For example, keeping customer contact details may be perfectly reasonable (because you may need to contact those customers as part of your overall service, or for product recalls, etc).

However, if the information you gather is excessive (e.g. hanging on to records of people who have died) or not well managed (sending messages to old addresses), you’ll likely fall foul of Ireland’s data protection laws.

Would you expect to find these rules set out somewhere, all in one place, like a business policy document for example?

It is a good idea to make sure that all of these rules are included in your business’ data-related policies or your staff handbook, that all employees can readily access and be required to read.

New joiners should be alerted to this as part of their induction too, and existing staff should be reminded about them on an annual basis, at least, so there can be no excuses for not being familiar with them.

You might also need to consider:

Employers also need to consider the following questions too:

1. Whether you know all the different types of data your business uses and why it’s using them

There will be times when you are expected to know what information you keep.

As daunting as this may seem, having a data map will help you to navigate your data more easily when you really need to.

2. How you would gather documents from your employees when you need them quickly

Your business relies on your people, which means their documents could be anywhere.

Make sure that they know to keep them all within your reach.

Be particularly mindful of the realities of today’s work-life balance arrangements and how your company’s information could be on the personal devices of your employees.

You will need to be able to access that too.

Make sure your data policies provide you with the rights and process descriptions to do this fast.

If an employee then refuses to co-operate, experts have very effective means to access data, including data that someone may believe is irretrievable.

3. What you would do if any of your business data was deleted

Accidents happen and sometimes data gets deleted on purpose too.

When your data has been deleted, all is not lost.

Far from it.

Even if a laptop has been dropped from a great height, or a device goes missing, experts can help you to recover the data.

They can usually get data back.

You’d be surprised what experts can do!

There are plenty of things that you can do to help yourself too, for example:

• ensure all staff are communicating, creating and storing/saving materials on cloud-based, central drives, not saving to local devices and that they’re using business-owned equipment, not personal devices
• prohibit the transfer or transmission of data by portable devices, like USBs, or via unsecure e-transfer tools, or via personal emails
• maintain equipment and upgrade software on a regular basis, including when prompted
• keep firewall security measures up to date
• don’t leave devices unattended. Fit them with location and tracking software
• put in place robust employment contracts with clear obligations on working practices, data protection, IP and confidentiality clauses in your favour, and make sure your data policies and staff handbook are up-to-date and legally signed off, and
• make breaches of these rules a disciplinary offence and enforce this.

4. What devices your employees use to work with your data and what happens to them when the employee leaves or the device reaches the end of its life

Because data is recoverable, you need to take extra care that your proprietary data or that of your customers is properly wiped from all devices before an employee leaves or the devices reaches the end of its life.

Do not resell devices until you have had them professionally wiped, and you are sure that a clever buyer cannot access your data after it has been deleted.

5. How you would contain a data breach and prevent further data loss

If you suspect a breach, you need to act quickly.

Get expert help if you need to work out how a breach occurred and who might be responsible.

Then you will be empowered to make decisions about how to stop any further breaches and take appropriate action against those responsible.”

6. What safeguards would be most useful to you in the event that you find yourself in dispute with an employee

When an employee leaves, you may still need their data.

They may have evidence that could help you fight a dispute.

Taking simple steps to preserve their devices, and what’s on them, will help you in case you need the information they kept. 

To find out how you can protect your data against bad leavers check out our guide bad leavers: how to manage data and IP risks