Telephone +44(0)1524 64544
Email: info@shadowcat.co.uk

GDPR and Revenge Inquiry

Introduction

Sat Dec 30 21:30:20 2017

The GDPR, the General Data Protection Regulation, is enforceable from 25th May 2018, the law was passed into effect in 2016 and was then moved to a transitionary phase to allow businesses and organisations to adapt. I will be discussing some of the aspects of the GDPR as I navigate helping businesses and organisations I am involved with change to reflect the new legislation.

In this article I am going to share a few thoughts about one of the risks of not being fully in control of your data or the way in which you use software.

A Dish Best Served Cold

In these articles I have expressed my admiration for the GDPR that is coming into effect in a few months. I personally think it is the right direction for the protection of individual digital rights in an increasingly digital world. However that doesn’t mean to say that I don’t harbour some concerns.

What do you do if they hold you liable as an employer for any personal communication shared between your employees?

One of my concerns regards revenge inquiries. Let me run through a hypothetical situation for you. You have a current or ex-employee who harbours a grudge, they are absolutely within their rights, whether their grudge is valid or not, to request any information you hold about them and that includes everything that has been written excluding those things that are covered under a legal jurisprudence. Let’s be clear as an employer, or as an employee, you will have come across situations where there were employment issues. We don’t all play nicely together. It isn’t uncommon, it does happen. Whether through personality or simply that the employee and job to not gel there are often occasions where people move on and sometimes there are words exchanged in electronic format.

What do you do if an employee or ex-employee requests a copy of all the data recorded about them? What do you do if it is emails, texts, or other electronic communication that is stored on the devices of other employees? What do you do if they hold you liable as an employer for any personal communication shared between your employees? If it is performed on any company equipment, or during work hours, or even if it is personal outside of work the mere fact that you may have used that for work communication will set a precedent on which we could infer responsibility.

Start Changing Your Behaviour

We are in a massive grey area that will have to be teased out by the authority that controls the code of conduct for your administrative area, or to whom you show compliance. I am not a legal expert but my concerns would be that you must start to act to set rules and behaviours for yourself and your employees. If you use any method at all to transfer information or perform tasks that are work related, whether at work or on work provided equipment, you can be seen to have determined that is a potential work-related matter. Therefore any similar task can also be seen to be potentially work-related. How do you distinguish them?

...you must start to separate clearly your work and personal life...

To be blunt you must start to separate clearly your work and personal life and that includes all equipment, programs and devices. You must start to move towards having no personal usage of work software or equipment or to using distinct logons with clearly defined areas of separation. This may mean that you need to consider using higher levels of security. It certainly means that you should make this clear to your employees.

It is time to start locking down what software you use and what software your employees use. It is time to start setting minimum standards of procedure and behaviour. It is time to clearly separate work and personal life and to allow your employees to do the same. We should be encouraging division between work and social lives. We should be respecting the privacy and excluding overlap.

...We should be encouraging division between work and social lives. We should be respecting the privacy...

I personally see this as one of the largest tasks facing any small to medium organisation. Those that already have the ability to do this (larger corporations and businesses) have whole departments dedicated to compliance with IT teams who enforce rules and procedures. But for many others this is a new frontier. It really should not be as the existing Data Protection Act and EU electronic guidelines ask for this behaviour, but they do not have the biting power of the GDPR. It is time for us to take seriously the rights of individuals and how that affects our business.

[Don't forget that you can join in this conversation by using the comments form at the bottom of the page or by tweeting at @shadowcat_mdk]