organizational security measures
Clean-desk routine as organizational safety measure
To reduce the risk of unnecessarily exposing personal data, it is a good idea to introduce a clean-desk routine as an organizational security measure.
What is a Clean-Desk Routine?
A clean-desk routine is an organizational safety measure that many companies should take. It is simple but can be of great importance. In short, it is about ensuring that material containing personal data or other sensitive information is not available for anyone to see. It can be physical information, but also digital information.
What Parts of GDPR a Clean-Desk Routine Can Help Businesses Follow
- Protect personal data against unauthorised access in accordance with the principle of integrity and confidentiality.
- Reduces the risk of accidental data leaks.
- Helps the company to demonstrate compliance with the GDPR in accordance with the principle of accountability
When are clean-desk routines particularly important?
- Co-working environments.
- Offices that get a lot of visitors.
- Finance departments.
- HR departments.
- If a business processes sensitive personal data.
- Remote working in a public environment.
- If the workplace is near a window that people pass by.
Definition of personal data breach
If an event occurs that results in the unlawful or accidental loss, alteration, destruction, unauthorised access to or disclosure of personal data, it constitutes a personal data breach. A personal data breach is a security incident. It does not matter whether it was intentional or not. Personal data breaches can lead to serious consequences for the data subjects, therefore it is important to prevent it. In addition, certain personal data breaches shall be reported to the data subjects who have been affected as well as the national data protection authority.
Many personal data breaches occur by simple mistakes
It is good to know that many personal data breaches happen by simple mistakes, not cyberattacks. A very common personal data breach is emails that contain personal data and are sent to the wrong recipient.
Physical clean-desk routine
If employees in an office have papers on their work tables that contain personal data, for example about customers, and any visitor walks by and sees or can see the personal data, it is a personal data breach. Therefore, workers should avoid having papers with personal data open on the work table.
Digital clean-desk routine
Another example is if workers have documents on their work computers up when, for example, they leave their desk to pick up coffee, which increases the risk of exposure and a personal data breach. Therefore, workers should have screen locks on their computers, and it may be useful to have a screen protector so that passers-by cannot see the contents of the screen from the side. In addition, workers should close their open documents if they leave their workplace for any reason.
What rules can a clean-desk routine contain?
Clean your desk daily
Do not leave physical documents or notes with personal or other sensitive information on your desk at the end of the workday. The same applies to shutting down all digital documents on your computer and turning it off.
Lock storage compartments
Ensure that storage spaces, both physical and digital, are locked when not in use.
Use machines that destroy documents
Some documents can be good to destroy and it is good to do so with shredders. In other words, a machine that destroys documents, instead of throwing the document directly into the trash.
Password-protect the computer
Make sure to always password protect your computer, so that no unauthorized person can log on to it.
Safely store portable devices
Keep in mind that all portable devices should be stored safely. For example, laptops, mobile phones and tablets used in work.
Clear temporary notes
Temporary notes, such as post-it notes with personal data that employees use in their work and therefore have on their work desk, should be cleared when they are no longer needed.
Avoid personal data on whiteboards
If the company uses whiteboards and notes personal data there, it is important not to unauthorized people see it. For example, it is common to use whiteboards in conference rooms that can be booked by different people. Therefore, personal data should not be listed there, or deleted immediately after the meeting.
Do not keep lists of names in public
A common mistake is to have name lists in public for visitors, without a legal basis for the processing. It can be physical or digital where visitors can see all the names on the list.
Do not forget the printouts left in the printer
It is good to constantly check the prints in a printer, as it happens that you forget documents there.
Important Things to Consider for a Clean-Desk Routine to Work in Practice
Develop a written policy
The first step is to develop a written policy. There, the company can describe, among other things, what the work desk should look like, what information the employees should not leave on the desk, and what they should think about for a clean-desk.
Information and training
It is important to inform employees and provide them with relevant training, so that they can effectively carry out what is stated in the policy.
Make sure clean-desk is included in onboarding
The information and training on the company's internal procedures regarding GDPR compliance should be provided in the context of the onboarding process. That is, in connection with the introduction of new employees.
Adapting the workplace to make it possible in practice
In order for employees to have a clean-desk, it is important to give them the opportunities to do so. For example, the company should buy safe and lockable document cabinets, shredders if necessary, screen protectors and similar
Regular controls
To ensure that the employees follow what is stated in the clean-desk routine, it is good to do spot checks regularly.
Classify a violation of the routine as an internal incident
It can be good for employees to report internal breaches of the routine, even though there may not have been any personal data breaches. The aim should be to enable the company to improve its work in this regard.
Learn more
Regular audit
Another good organizational safety measure that companies should take is to carry out regular audits of different areas. It often happens internally, but in some cases it may be appropriate to hire an external party. For example, in the case of high-risk processes where an objective perspective is important. Regular internal audits regarding GDPR compliance make it easier to identify shortcomings and opportunities for improvement before it leads to serious consequences.