Posted on: January 25th, 2018

According to recent research by Egress Software Technologies, a whopping 24% of UK employees have purposely shared business information to people outside of their organisation, and that’s just the people who admitted it.

The survey quizzed 2000 UK workers who frequently use email as part of their roles, to highlight how common email misuse is in UK businesses. A shocking one in ten workers also revealed that they had accidentally leaked sensitive email attachments, such as bank details or customer information, putting both customers and their organisations at risk.

With these huge statistics and GDPR fast approaching, it’s worth reviewing your internal processes to consider how you deal with data breaches by your employees. We recommend that you start by considering the following key areas:

  • Educate staff – Providing specific training to employees on how to safeguard data and motivating employees to care about the impact of a breach, to both the business and customers, is likely to minimise the risk of internal leaks. Employees should also be briefed on when and how to report data breaches, to ensure the company’s compliance with its obligations under GDPR, as explained below.
  • Contracts are key – Whilst employees are bound by obligations of confidentiality during employment, only a business’ ‘trade secrets’ will be protected from disclosure after employment. Well-drafted post-termination confidentiality obligations will help to protect an employer’s interests once employment has ended, as well as acting as a useful deterrent to potentially rogue employees.
  • Investigation – If you are unlucky enough to suffer a data breach, it should be investigated thoroughly to determine whether the leak was intentional or not. The disciplinary action taken as a result will differ depending upon the employee’s intentions. Thorough investigation will also help to highlight any gaps in the business’ data security measures.

  • Invest in cyber security – Data-heavy businesses should invest in data loss prevention tools and cyber security professionals and/or technology to protect against internal and external threats. 

  • Reporting data breaches – The GDPR introduces a duty on all organisations to report certain personal data breaches to the ICO within 72 hours of becoming aware of the breach. The individual concerned must also be informed without undue delay, if the breach poses a high degree of risk. Businesses must also keep an internal record of any personal data breaches, regardless of whether the ICO and/or the individual are notified.

If you want to discuss any aspects of this article and the impact on your organisation further, please contact us on 023 9236 4310.

Charlotte Allery is a Solicitor in our Commercial and Employment Services team and a member of Coffin Mew’s Tech Sector.