By Leigh-Ann Athanasius
In today’s digital age, data is the greatest commodity one has to offer especially with the number of companies that are continuously collecting our information. As a result, data protection has become a major concern for organisations across various industries. In Kenya, the Data Protection Act of 2019 was introduced to ensure that everyone’s data is being taken care of; and that individuals are not being taken advantage of. You can read the Data Protection Act here.
It is more common for matters on data protection to be dealt with as an after-thought rather than a key risk area of one’s business. Let’s take a look at this hypothetical scenario.
The Incident
As part of Company X’s customer onboarding procedure, staff in the customer service department are expected to collect sensitive customer information such as names, ID numbers, contact information, addresses etc. An employee in this department is found to be taking customers’ personal information from the database and selling it to third parties.
These third parties are found to be sending unsolicited messages to said customers. The activity was brought to the company’s attention by one of the customers who suspected the breach was coming from Company X based on the nature of the third party messages that they were receiving and the information that they had.
The Problems
We’re sure that you can tell how inappropriate that is – on top of being a violation of the client’s privacy and right to have their data protected. This is a clear breach of data protection for (though not limited to) the following reasons:
- Purpose limitation: data can only be used for the intended purpose when it was collected. This situation is definitely outside these parameters as the third parties are reaching out to the client using information they should not have access to.
- Consent issues: the client had not consented for their information to be utilized by third parties; neither explicitly during the onboarding process or implicitly by engaging Company X in their services.
- Privacy violation: above all else the employee violated the client’s privacy and this breaks the trust in both the employee who onboarded them and the organisation as a whole.
Customers have a high level of trust that the companies they share their personal details with will maintain a certain level of confidentiality and implement adequate layers of protection to their information.
It can be difficult to intercept third parties that would engage employees outside of any companies’ control; but what can be done to address an employee breach, such as in Company X’s?
The Necessary Action
In the example above, there are a few steps that need to be taken to remedy the situation.
- Investigate the client’s complaint. Find out which employee(s) had access to the information and gather evidence of the unauthorised use of the data.
- Reach out to the client acknowledging and apologising for the breach; as well as assuring them that situation is being handled. You can be transparent with the client on the actions being taken.
- Go through your company’s disciplinary process with the employee in question. Find out more about taking disciplinary action here.
- Review your data protection policies to identify any weakness or gaps that may have led to this incident. Remedy those gaps as needed and most importantly emphasise the importance of employees adhering to these policies.
However, above all else, Training is key! As an employer/organisation it is essential to make sure that your employees are adequately informed of the data protection regulations and are aware of the consequences of violating these rules. Not only could this lead to legal ramifications depending on the extent, but there is also the risk of reputational damage to your organisation. In the above example, the client can’t be blamed for now being weary of the organisation as a whole and may likely tell other people in their life of the experience that they had. For the employee in the situation above; there was clearly a lack of forethought about how their actions could potentially bring down Company X.
Data protection violations can have severe consequences, both legally and reputationally, for organisations. By proactively addressing such incidents, conducting thorough investigations, implementing appropriate disciplinary measures, and enhancing data protection policies, organisations can demonstrate their commitment to safeguarding personal data and maintaining the trust of customers.
Remember, prevention, detection, and swift action are key to handling data protection violations effectively.
