My Data

My Data

By Aim's data protection experts

May 2021

 

I am a school Governor, and as such need to be DBS checked. The process was painless; I had to present some documentation to the school Admin team and then complete the application online. The outcome? A DBS certificate which I needed to show to the school, so they could check the details and take down my certificate number.

 

All very simple. However, there were a few potential hiccups along the way. For instance, because of COVID and the need to restrict unnecessary visitors to the school premises, a junior member of the Admin team asked if I’d leave my documentation at the front desk. I politely declined, because although a brown envelope, marked private and directed towards the Admin team might seem safe, there are many possible risks and the thought of it being lost or worse still, stolen, did not fill me with joy.

 

When I received the certificate, I had to visit the school again. It was at this point I suggested, jokingly, that I would happily post the certificate on the front gate for them, and anyone else who was interested, to see, since I have not done anything in my life to warrant inclusion on the certificate. At first sight, this seems fine to me, since I have nothing to hide, but if we consider the information on the certificate, i.e. name, address, date of birth, place of birth, the role at the school and any police records, then it suddenly becomes a significant document for any potential fraudster.

 

All in all, I find this situation amusing and worrying in equal measure. I am after all a data protection professional, and I offer my consultancy services to organisations, but here I am, happy to share potentially valuable personal information with anyone who would like it, on the “nothing to hide” and “I’m not that interesting” tickets…

 

So what is the point I’m trying to make? Well it’s this. It’s easy to be laissez faire about our own data, and say “I have nothing to hide”, but a deeper look will reveal potential risks we need to consider before proceeding along this path. However, if I am an organisation holding the data for employees, customers, potential clients and suppliers, then a “deeper look” is the minimum that everyone will expect, and a carefully considered approach, looking at all the risks is essential, since the penalties and reputational damage a breach or failure to demonstrate good practice could be catastrophic.

 

So, despite the obvious issues around resourcing, time and financial cost, it’s essential that you have a plan to assess risks, complete data protection impact assessments when required, and know what data you hold, because just because you don’t see an issue with a breach, your customers and the ICO may see it differently.

 

 

More:

  • For information about our data protection services, please click here.
  • Data breaches: what should you do if they happen? Our 30-minute GDPR Data Breach Training gives you an understanding of what data breaches are, what the GDPR says about them and how you should deal with breaches if they occur. Access our training here.