7 May 2024
Information Management is a hot topic for us at The HR Branch in May as the Information and Records Management Society (IRMS) conference 2024 is fast approaching (12th – 14th May 2024). Our thoughts turn to what this means not only for us as a small business, but also for our clients.
Before we dive into 2024, let’s have a quick look at some of the developments from 2023 which signpost what’s coming up.
Cybersecurity – Cybersecurity has been a hot topic for some time, back in 2023, overarching legislation (EU Directive) came into effect and the aim is to provide guidance, frameworks and standards that will help protect us from Cyber risk which is increasingly significant. The Digital Operational Resilience Act (or DORA) comes into effect until January 2025.
Artificial Intelligence (AI) – there was a lot of coverage of AI in the press in 2023 and this continues in 2024. The government produced a white paper about harnessing the positive possibilities of AI whilst regulating it and ensuring we stay safe. You can read that paper here. In addition, in 2023 the EU reached an agreement on the AI legislation so there will be more to follow on that very soon.
Big companies were fined – this was all over the news in 2023 as META were fined 1.2 billion by the Irish ICO regarding transfer of personal data. This fine, which is the largest relating to a GDPR breach ever, was imposed for Meta’s transfers of personal data to the U.S. based on standard contractual clauses (SCCs) since 16 July 2020. Meta was also ordered to bring its data transfers into compliance with GDPR.
Cookies – in 2023 the ICO and Competition and Markets Authority (CMA) published a joint statement about Behavioural Advertising and Cookies and about how this can affect consumers’ choice and personal control over their personal data. In fact, the ICO wrote to some of the UK’s top websites at the end of 2023 giving them 30 days to comply with the requirements of current UK legislation. Up to now most of the 53 companies written to have changed their practices so they are in line with UK legislation, but the ICO has signalled that this is just the beginning, and they are working on an AI tool to identify websites automatically that are not in compliance.
UK Data Reform Bill - The Data Protection and Digital Information (No.2) Bill proposes several significant changes to data protection and privacy regulations in the UK. This is still in draft form and is yet to be confirmed but particularly relevant changes include:
As always, if you have any questions about what is mentioned in this post or would like some expert advice about your people practices, please get in touch at info@thehrbranch.co.uk.
Do you send out emails to multiple recipient addresses using the BCC option?
In August 2023, the Information Commissioner’s Office (ICO) provided guidance to organisations as follows:
“Failure to use BCC correctly in emails is one of the top data breaches reported to us every year – and these breaches can cause real harm, especially where sensitive personal information is involved.”
Mihaela Jembei, ICO Director of Regulatory Cyber went on to say:
“While BCC can be a useful function, it's not enough on its own to properly protect people's personal information. We’re asking organisations to assess the nature of the information and the potential security risks when deciding on the best method to communicate with staff or customers. This new guidance is part of our commitment to help organisations get email security right. However, where we see negligent behaviour that puts people at risk of harm, we will not hesitate to use the full suite of enforcement tools available to us.”
Since then there has been a significant breach by the YMCA regarding emails intended for those on a HIV support programme who were sent to 264 email addresses using CC instead of BCC, revealing the email addresses to all recipients. This resulted in 166 people being identifiable or potentially identifiable. The ICO fined the YMCA and also issued a statement following this explaining that urgent improvements are required in this area.
So what do you need to do?
If you are sending any sensitive personal information electronically including simply the email addresses of other recipients, you should use alternatives to the BCC function. Examples would be bulk email services, mail merge, or secure data transfer services. Failure to do this will put you at increased risk of a breach and potential fine from the ICO.
Information Management is a hot topic for us at The HR Branch in May as the Information and Records Management Society (IRMS) conference 2024 is fast approaching (12th – 14th May 2024). Our thoughts turn to the proposed Data Protection and Digital Information Bill and what might mean for you as a small business.
The Data Protection and Digital Information Bill is still in the process of being amended and is currently at Lords Committee stage. Here is a summary of some of the key proposed changes:
From a people perspective, the compliance of small businesses to data protection legislation is imperative given the impact that a fine from the ICO could have. This includes avoiding a breach of personal data wherever possible, ensuring that data is processed in line with the guidance and that policies/ data privacy statements are made available.