Ahead of Oil & Gas UK’s Cyber Security Conference, speaker Ross McKenzie, partner in international law firm, Addleshaw Goddard’s data protection team, shares some insights into what practical measures should be considered for data protection compliance in the oil and gas sector
The harsh reality of data protection compliance is that every organisation will be affected by an incident affecting its IT systems at some point – unfortunately, we’re all susceptible to being bitten by snakes in and outside of our business, from something as simple as records being sent to the wrong recipient by email, to a much more serious targeted ransomware attack.
In the oil and gas sector, attacks affecting personal information are far lower risk when compared to other industries like the financial services sector or other consumer-facing businesses. Nevertheless, each member of the workforce contributing to the oil and gas industry – whether that’s employees or contractors – has an expectation that any personal information shared or created about them is protected, and quite rightly so.
Not every snake bite will result in personal information being compromised. But when it does, the law – principally through the well-known General Data Protection Regulation (GDPR), applied in the UK via the Data Protection Act 2018 – comes into play.
The GDPR needs to be factored in for operations involving the handling of personal information. Offshore, this will be relevant for any personnel records stored, but most importantly, medical records. Unsurprisingly, compromised health records have led to the highest penalties in the UK to date under the old law. New technologies being introduced into the sector, such as workforce tracking and Internet of Things (IoT)-enabled devices, are creating an abundance of new data about the workforce which requires consideration and protection.
The law generally doesn’t expect absolute prevention of data security breaches. Just like the board game, snakes can be lurking in every corner and prevention can be difficult. The GDPR does expect, however, that reasonable technical and organisational measures are in place. A bit like ladders, they are there to give you a step up on compliance to help avoid challenges, and when something does go wrong, they’re there to help get you back to where you were and can be used to show authorities what measures were in place to mitigate against a breach.
Most organisations will have already spent time on data protection compliance recently given the introduction of the GDPR. But moving forward, reasonable steps should be taken to monitor compliance and keep standards up. Some housekeeping tips include:
- Ensure training of new staff is undertaken, including refresher training, particularly focussed on reporting of any suspected breaches;
- Test procedures in dummy incident runs and focus on timelines – a personal data breach which is high risk to individuals (e.g. lost health records) must be reported to the ICO in the UK within 72 hours;
- Audit contractors you rely on to process data on your behalf – this is probably the most important aspect, particularly for offshore health records. You should check how they would manage reporting a breach;
- Check the terms of any collaborations you are involved in. Consider if personal information shared is necessary and who has responsibility for data incidents; and
- Run privacy impact assessments to check what security measures are in place (and should be put in place) before any new collaboration involving personal information.
Ross McKenzie, partner in international law firm, Addleshaw Goddard’s data protection team