By José Miguel Aparicio, director of the Data Protection Area of TOMARIAL. The recurring reason that many companies in our sector go to convince the employer is to avoid costly penalties provided by the regulations. Although they must be avoided, this should be one more reason and not present as the most important, since it makes the company not detect the importance of compliance in other terms and limits itself to doing what is essential to “comply with the file”, also ending for being a nuisance rather than a development factor.
We understand that the main reason to comply with these regulations is the improvement in the image of the company: transmit professionalism and respect for privacy. And this has repercussions in economic terms:
- If a company processes the documentary and automated processing, there will normally be no waste of time and it will be maximized; If the staff gets used to filing the documentation before the end of the day, this is not noticeable in terms of time; on the contrary, if the documentation is left on shelves for several days, when the task time is archived, as a rule, it will be doubled.
- In terms of image, an organized office is not the same as one where the documents "chime" or computers that anyone can access; Let us think of advice, law firms, clinics ... with the aggravating fact that anyone could access data, also giving us little confidence to put ourselves in their hands.
- We must take into account the loss of time and image that we transmit when we are asked for an invoice or a file ... and it is missing. It is the closest thing to a mini-crisis: hurries, screams, reproaches ... in short, anxiety and stress in addition to the feelings we transmit to third parties. We are closer to losing the customer or, in the best case, take a "fight".
On the other hand, it should be noted that the regulations (like the previous one) are concerned with regulating issues that companies should already comply with and that for different reasons (lack of time, not wanting to make the necessary investment ...) we do not comply; So with data protection as an excuse, the law acts to force us and it is clear: companies must ensure confidentiality, secrecy and integrity of information and personal data.
A clear example is the backup of automated systems; We continually see companies that leave the hard drive on which it is always connected to the server without being guarded with sufficient security measures (for example, encryption). What happens when our system is affected by malware that enters the system when opening an email and as we do not have a reliable firewall and antivirus, encrypts the information? Or what happens when the systems "melt" due to a power surge and we have not set up UPS on each desktop or server? ...
In the best case we will lose time (and productivity). In the worst case scenario, it will mean closing and this leaving aside the infractions that can be sanctioned, as well as the existing obligation to communicate the security breaches to the control authority. On the other hand, if we have the copy, it is already recovered to work. Also, remember that the information that your company treats is another asset of your organization, surely of incalculable value and that sometimes involves the work of years.
Another example: comply with confidentiality. We don't usually worry until the first problem; If when we hire an employee with access to data (administrative, commercial ...) you are informed of what the means are that the company makes available to you, how to use them and how to treat the information ... and sign the documentation that shows that we have given This information and, in addition, we have measures that prevent unauthorized access and measures that prevent the theft of information, we ensure that if that commercial tries to remove the list of customers, it will not be able to do so and, if it does, we will show that we have put means to avoid it and we can take action against the offender. Protect your assets (information is power).
Another point that the regulations require is to maintain a proactive attitude towards data processing that they carry out. Proactive responsibility is described as the need for technical and organizational measures aimed at guaranteeing and that the treatment is in accordance with regulations. In practical terms, organizations should analyze what data they are dealing with, for what purposes and what type of operations they carry out and from that, determine how they will apply the necessary measures, ensuring that they are adequate and that they can demonstrate it, documenting each step and decision, before interested parties and before authorities.
As a summary, remember that the cost of a single incident in this matter, both in terms of loss of image, confidence and time and in terms of sanctions, compensation and defense costs, is infinitely higher than the cost of correctly implementing this regulations in our organization, it is vital to have trained personnel or consulting companies that advise us in a professional and continuous way.
