GDPR Update from Lisa Greenwood: An Individuals Perspective and Responsibility

Lisa Greenwood Potter, Accountant, EssexPosted by Lisa Greenwood:

On 25 May 2018 the new GDPR regulations came into place for businesses to adopt which effectively are a modernisation of the Data Protection Act. The change was to ensure that personal data is not freely transmitted and is adequately secured. Whilst this is a positive move, what has been evident in the short period of implementation is that many businesses including some large institutions such as banks are not encouraging their customers or appear to be doing anything any differently as a result of GDPR. Even the government have stated that the majority of their systems will not be in place for another 12 months (no surprise there).  

All of us are already fed up having received possibly hundreds of emails over the last few months asking us to approve privacy policies and update prefeences due to GDPR. Sadly, most of us didn’t read the majority of the statements put in front of us or simply selected delete on the keyboard.

The introduction of GDPR and the required changes to the transmission of personal data should be seen as a positive move and as individuals, I feel we have a part to play in ensuring that the risk to our personal data is minimised at all times. 

The main reasons for the development of GDPR were:

  1. Identity fraud has increased significantly and having seen a colleague affected by this, an enormous amount of time is spent trying to deal with the aftermath.
  2. Data is now more freely transmitted electronically rather than by post and very often it is not secure.

Personal data that you should try to protect include your full name, address, date of birth, bank account number, marital status, income levels, passport number to name but a few.

What should you be doing to protect yourself if you are asked to provide personal data?

  1. Ensure that you adequately verify anyone asking you for personal data over the phone. If you receive a call from the bank or HMRC for example, you are often asked to provide ID to confirm who you are under the guise of data protection? However this is the wrong way around as they have called you - they should actually provide you with ID information to confirm who they are. If in any doubt, don’t provide any personal information where a call hasn’t derived from yourself and especially if you are not expecting a call in the first place. If they are a reputable organisation, they should be prepared to provide you with a contact number to return so that you can check them out either online or via a contact number that you may already have. (The excuse that a call is recorded is not a prerequisite that it is ok to provide information and they are genuine). 
  2. If you are asked to provide personal data by email, ask the recipient how they want you to send it to them so that it is secure. Don’t be afraid to ask how they are dealing with GDPR in respect of your personal data. Make it clear that you require any information that is sent back out to be secured as well. We're ahead of the game here at Lambert Chapman as we already use a secure Portal for transmitting data with our clients and many businesses will soon follow suit. What appears to be a common approach at the moment is that you may be asked to send a document and password protect it. This can be carried out quite easily with any document system and should provide a secure method. HOWEVER, DO NOT SEND THE PASSWORD FOR THE DOCUMENT BY EMAIL - you must use an alternative method, for example call them or send a text with the information enclosed. If a hijacker can intercept the first email, they could also intercept the second, effectively giving them everything they need.

Whilst part of everyday life, do not underestimate the power of information put on social media sites and via email as these are the easiest methods of communication that can be intercepted. Whilst it may seem over the top if everyone starts getting into the habit of asking for data to be transmitted securely, hopefully identify fraud will reduce and our data stands less chance of falling into the wrong hands. By everyone playing their part means that more businesses will have to take GDPR seriously and change their working habits.  

June 2018

Disclaimer

The views expressed in this article are the personal views of the Author and other professionals may express different views. They may not be the views of Lambert Chapman LLP. The material in the article cannot and should not be considered as exhaustive. Professional advice should be sought in connection with any of the issues contained in the article and the implementation of any actions.

What Next?