It’s hard to believe that the GDPR has been in force for more than 3 years now, having been introduced on 25th May 2018. So, what have we learned in that time? How have we adapted?
We now know what happens to those who don’t get it quite right; they make headlines, for the wrong reasons. The nature of the failures are made public and failure to comply with the legal justification for processing or Data Subject Rights, can incur a penalty of up to €20m or 4% of the total company’s gross revenue. That’s not something to be ignored.
One highly publicised example of a GDPR breach in the UK, was British Airways. They were fined £20m following the consequences of a data hack, where approximately 400,000 of their customers’ data were stolen by adversaries*. The personal information included names, addresses, credit card information, logins and travel booking details. This is a substantial financial penalty, but more importantly, the brand’s reputation was negatively impacted.
Therefore, making sure your citizens’ data is safeguarded is critical. We follow stringent data security rules and processes to ensure this, and even with the challenges of working remotely, we’ve remained compliant with the utmost integrity. As we know only too well:
Reputation is our livelihood, so you can be confident we’ll look after yours.
Maintaining Data Privacy in a hybrid working environment
It’s been a turbulent past 18 months with the emergence of the COVID-19 pandemic, and with it came an enormous shift in the ways businesses now operate. From what was a largely office-based society of workers, we all rapidly became accustomed to working fully from living rooms, bedrooms, dining rooms and kitchens!
Businesses have had to adapt their practices to comply with lockdown protocols and Govtech responded appropriately when the government announced the full-scale lockdown in March 2020. New equipment was purchased, desks were vacated, and staff left the office. More than a year on, we are now beginning to trickle back into a level of ‘hybrid working’.
But how is it possible to maintain high levels of customer privacy when we are working from home? Well, for us, it’s simple.Our existing company policies that we know are fully compliant with GDPR and BSI ISO/IEC 27001 requirements are also applied when home working. These include:
- All staff being provided with encrypted laptops, complete with firewall and anti-virus protection on which to work.
- At no point are Govtech systems or information ever accessed or processed on personal devices.
- Our ‘Clear Desk and Clear Screen’ ISMS policy continues to be observed during home working. This ensures that any Govtech information cannot be seen or accessed by people who are not Govtech employees. Computer screens must not be visible through windows, and screens must be locked if a visitor or family member is present and can see the screen.
- If a computer is left unattended, the screen must be locked and any Govtech information which is visible within the workspace must be hidden away from the vicinity of the computer.
Following the rules that we are so used to following in the office when we are working in our own homes means that we can keep our customer information and working practices as safe as they ever were before COVID-19 emerged.
Safeguarding your citizens
With the GDPR being such a high-profile piece of legislation, customer awareness of their own data and how it is used by companies has increased dramatically. That is why it is so important for us, and you, to be able to justify why we need the items of information we request during transactions. The GDPR states in Article 5, paragraph 1 (c) that processing should be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)’.
In light of this, we decided to conduct an overhaul of our Revenues forms, involving changes such as:
- Only collecting citizens’ birth dates in certain necessary scenarios
- Removing the condition for customers to supply their employment/benefit details when they are applying for a special payment arrangement for summonsed debt
Given that we collect only the information we need in order to be compliant with the data minimisation strategy, what do we do WITH that information? Crucially, the information collected is only accessible by certain members of staff – i.e., those who need it to do their jobs. Additionally, the information submitted is not visible to everyone. For example, our indexing team can see only the names and addresses submitted on the forms. They have no visibility of the contact details for that citizen, or their bank details, for example.
Alongside this, it is also important to us that we apply a reasonable data retention period. The information we collect is accessible only for 30 days from the date of submission. After this period all the submitted information is deleted from where it is stored, and we are left with just the ‘bare bones’ of the transaction to show where it once was, and which also acts as a proof of receipt.
If one of our customers has a query with the processing of one of its transactions, our support team are on hand to help. We will never ask our customers to provide details of the query via email as we do not consider email to be a secure method to transfer Personally Identifiable Information. Instead, we have our own fully encrypted Helpdesk platform which enables local authorities to provide us with case information to aid enquiries, in complete confidence that the information will remain secure with us, and not open to third party interception.
Keep calm and carry on!
Hackers and viruses can be known to outsmart even the most sophisticated of security systems, and that means we must work doubly hard to always stay ten steps ahead of them, to prevent us experiencing similar data losses as British Airways. Customers’ privacy and adherence to the GDPR is of paramount importance to Govtech so we have a method in place that we refer to as ‘bus syndrome’. What would we do if our CIPP/E (Certified Information Privacy Professionals/Europe) got hit by a bus? We must be prepared for the worst which means that every person has a backup. Therefore, Govtech has two CIPP/E certified members of staff. Both are also members of IAPP (International Association of Privacy Professionals) which is the world’s largest information privacy community.
Not only do we have 2 CIPP/E certified members of staff, but Govtech also holds the BSI ISO/IEC 27001 accreditation. This accreditation means we have security and working procedures in place for almost every scenario. Since Govtech achieved this status several years ago, the policies and procedures associated with it have become a part of our everyday working lives. They are an integral part of our job; we know them inside out and we are audited on them regularly. The audits keep us at our best, and the regular reviews from the BSI themselves ensure that our levels of security and business practises to keep all personal data safe and secure, are the very best they can be.