It’s not just American presidents who can be indiscrete and share potentially sensitive information with people they shouldn’t. While recollections of exactly what was said at that meeting by Donald Trump vary, there was definitely the potential for inappropriate information sharing, even if it was dressed up as politics or diplomacy.
Now unless you work in the Security Services, the Military or are a senior Civil servant, it’s unlikely that you and your staff will be in possession of such top secret information. However that doesn’t mean that the information your staff know and / or have access to is safe and risk free. While they might not be the next Edward Snowden or Chelsea Manning, information is a valuable commodity.
There are companies and people out there who will pay money for information and aren’t always too scrupulous about where it comes from. While some things such as bank details or credit card information have an obvious financial value (when misused), other personal details can be useful and valuable to “scammers”, criminals or even marketing and advertising companies too. This personal information could be about your customers but not always; it could be about your staff too.
As well as personal data, there will be other information that could be useful and valuable to others. It could be information from your customer database, it could be product information or technical data, your business strategy or your research programme – the list goes on.
So why would others getting this information be a problem you might ask? If you work in a competitive, commercial industry it could potentially give your competitors a helping hand to outperform you or compete more effectively against you. You’ve worked hard to build up your customer base and you wouldn’t want them suddenly buying from your competitors instead. It might help them undercut you on price or to negotiate better deals with your suppliers than you have. All is fair in love, war and business?
As for personal data, especially the type that is “sensitive”, you and your organisation have a legal obligation to store, manage and use it in line with current legislation. (The Data Protection Act 1998) If you are found to have breached the legislation, either accidentally or deliberately, the Information Commissioner can issue a penalty notice or a fine of up to £500,000. You also need to be mindful that the Data Protection Act is about to be updated and there will be new obligations and regulations that come into effect in 2018. While you might be compliant now, you might not be by next year.
So what can you do about this potential information minefield? While it’s great to hear that you trust your staff that isn’t enough, or certainly isn’t as far as the Information Commissioner is concerned. Here are some suggestions of what you might wish to put in place:
- A data protection policy and guidance and a contractual clause about the employee’s duties and obligations.
- The relevant processes and procedures that support your data protection policy are vital too.
- An appropriately worded confidentiality clause – either as part of staff contracts of employment or as a stand alone document.
- An appropriately worded intellectual property clause would be useful for your staff working in research and development, or any other product development area.
- IT guidance about file sharing, downloads and uploads, emails and social media can remind staff to think about what they share and send, and how they do it.
(This isn’t an exhaustive list but hopefully gives some food for thought.)
Depending how much of a risk you potentially face, you need to put the appropriate measures in place now before a problem arises. Once the problem or data breach occurs it’s too late…. You can’t undo what’s been said / saved / sent however much you want to and however much you try to rewrite history. (Politicians take note!)