Graphic indicating information security

The balancing act we need to get right with Information Security is making sure that the right information is available at the right time to the right people, while also making sure that it’s protected from accidental (or malicious) changes or loss.

Our Information Security policies and standards* are all designed to keep you on the right side of the law when it comes to GDPR (the General Data Protection Regulation which comes into force from 25 May). All colleagues have signed up to follow these when they use our systems and information.

Things to do now

  • If you’re not familiar with our policies and standards, then spend some time refreshing yourself. 

    On our information security intranet pages* you’ll find policies that apply to all colleagues, and then some particular ones for those with specific responsibilities in their role.
  • Make sure you ‘classify’ your documents correctly.

    In our Information Classification and Handling Policy* you’ll find what should be classified as Highly Confidential, Confidential, Internal and Public – and how to deal with, retain, and dispose of these different types.
  • Complete your GDPR training.

    Different business areas have different timescales and approaches to being trained. If you’re not sure of when and how you need to get trained (every colleague does), then speak with your line manager.

If things go wrong, don’t keep quiet

Call the Information Incident Hotline on 0844 262 9990 if you think any information has been sent to the wrong person or place, or if someone has accessed information they shouldn’t have. This includes reporting if your Co-op mobile, tablet or laptop is lost or stolen, or if any personal device you use for work purposes has gone missing or been compromised in any way. The sooner you report it, the quicker we can minimise any impact.

More information

GDPR covers a lot of things, and we’ve recently published stories about: your information, your rights; being fair; and handling data with care. We also have information on our GDPR intranet pages* and will continue to update information here too.

*If you don’t have direct access to the intranet, then please ask your manager. Pages referred to here can be found by searching for ‘information security policies’ or ‘GDPR’ from the homepage.

Join the conversation! 9 Comments

  1. The irony upon irony of running this story on a publically available website. Why on earth is this not on the intranet and not publically available?

    • Chris – the intranet can’t be read by all colleagues, whereas this site can be. There’s nothing confidential in this story so why would we have to keep it hidden away? Some of the policies linked to here are only available on the intranet as they are specific just to us – but the rest of the info is pretty well public knowledge anyway. This is about helping communicate with all our colleagues (one Co-op!) and not just the few. Plus, if anyone outside our Co-op is reading this, it’ll help them see that we’re taking GDPR seriously and doing all we can to be ready and to protect members’, customers’, suppliers’, contractors’ and of course colleagues’ information and data. So, no irony in my eyes, just helpful communications. Now, if we were to put details of how we encrypt our information online, that would be a different matter 🙂

  2. Can we please use the classifications correctly without slapping confidential on everything just to be on the safe side.

    Every bureaucracy strives to increase the superiority of its position by keeping its knowledge and intentions secret. Bureaucratic administration always seeks to evade the light as best it can, because in so doing it shields its knowledge and conduct from criticism….

  3. As far as I am aware the fines will be a percentage of turnover rather than a fixed fine so potentially could be a lot more.

    • Hi. Apparently there will be two levels of fines. The first is up to €10 million or 2% of the organisation’s annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the organisation’s annual turnover of the previous financial year, whichever is higher. Hope this helps. Thanks ^Rachel

      • It is dependent on the Information Commissioner’s decision. It is possible that an accidental minor breach where we are already working on mitigation measures would not receive a fine at all. On the other hand, yes, a truly egregious major breach might attract the 4% figure (though the ICO has never actually applied a maximum fine under the current system so it is unlikely they would do so under GDPR either). The figures I quoted are the 50% of maximum though (the 2% figure under the GDPR regime), which the ICO has gone beyond a few times under the current system so is entirely possible under GDPR as well. For example, this was an 80% of maximum fine (so would equate to about £288M were it us under the new system): https://www.theregister.co.uk/2018/01/10/carphone_warehouse_ico_400k_fine_after_hack_exposed_customers_data/ Good reasons to be careful not to open that phishing email 🙂

  4. There are all kinds of ifs and buts around what level of penalty might be applied for a data loss incident under GDPR but just to give folks some idea of how things will change from the current Data Protection Act, if there were a data incident here that had resulted in a £250,000 fine in the past it is likely that the same fine under GDPR would be around £180,000,000. Like I say, lots of ifs and buts around penalties (and, touch wood, as we aim to do it right then we won’t have to worry) but hopefully everyone can see that the risks of not meeting the requirements of GDPR are potentially pretty damaging – and there is a requirement on all of us to be part of getting it right.

    • £180,000,000 is a very large fine.

    • It’s not just about the fines.

      Those impacted will also have the right to sue which adds a new dimension to matters.

      Lawyers are anticipating it could be the next PPI.

Comments are closed.

Category

GDPR, Uncategorized