Risk Evolves Logo Need help now?

Privacy Goes Beyond Digital and Email

HomeGDPR Discovery ReviewPrivacy Goes Beyond Digital and Email

In a digital world where we’re constantly reminded to look after our personal data, it’s easy to forget about privacy leaks in the real world.

The following tale might spark some concerns among businesses, and it may even remind you of something that you’ve witnessed yourself.

It all started on the train

While travelling back from London last week, I had no choice but to overhear the following conversation.

“Hi, my name’s Jane, and I’m calling from Made Up Name Ltd,” said the lady opposite me, phone to ear and seemingly oblivious of her fellow train travellers. “I just wanted to run through a few things as part of the interview prep for the session tomorrow with David.”

Jane (not her real name, obviously) then went onto conduct a full interview with the candidate at the other end of the phone. Let’s call him Sam.

She informed Sam what the graduate starting salary would be and how it would be increased. Details of holiday entitlement (pro-rata to April) followed, along with specific details of the office culture, including hours of work, office locations, and team building exercises.

Jane then asked Sam to provide details of his current salary. I, and I’m sure plenty of others gleaned this was rather less than the graduate starting salary previously revealed. He was also asked for his current holiday entitlement. He’ll get more if he’s successful at tomorrow’s interview, you see. She also asked him for an email address to which details for the interview could be sent.

Sam’s got a Hotmail address, in case you were wondering.

The signal dropped, and Jane called back and made Sam aware that the interview was taking place in an open space. A bit late for that, possibly.

Is there a GDPR issue in this situation?

Strictly speaking – no, there isn’t a GDPR issue with the tale above.

Despite the public nature of the call and some of the details revealed, I didn’t hear Sam’s last name, nor his entire email address.

Regardless, how would you feel as an interviewee if you realised the entire conversation was taking place on a packed train? Would you have hung up, rescheduled, or continued? There’s no escaping the fact that I managed to learn a great deal about Sam’s future career prospects.

Is the company to blame?

It’s impossible to know whether or not this particular phone call was standard practice for Made Up Name Ltd. For all I know, this could have been entirely at the hands of the employee I sat opposite. Perhaps they were running late or suddenly realised they didn’t have anywhere else to make the call later that day.

Whatever the reason for the call, it raises serious questions. If you were the owner of Made Up Name Ltd, how would you feel if your employees were representing you in this way? What impact could there potentially be on your reputation?

Lessons to be learned

Here’s my take.

Regardless of the GDPR issue, Sam should have been made aware right at the start of the call that Jane was in a public place. And that’s only if there was absolutely no way for the call to take place somewhere more private later that day.

We’re all busy, and if you need to conduct a call of a personal nature in public, it’s only fair to inform the person on the other end of the phone. After all, they have every right to refuse to take part.

As for Made Up Name Ltd, clearly, there are some issues to work through. Everyone within earshot (and there were lots of people in that carriage) heard the real name of the company, and with social media but a few finger taps away, the reputation of that organisation could take a minor battering from people who, like myself, were rather shocked at the level of detail we were overhearing.

The lesson? Think beyond the GDPR, digital, and email when it comes to privacy. Data is currency in the digital age, and cybercriminals will take any small opportunity they have to grab something valuable.

I’m aware that this leaves us somewhat unsatisfactorily unsure of whether Sam got the job, but we wish him the best of luck with the company he goes to work for! 

If you’ve got data privacy-related questions, we’d love to hear from you.

Give our friendly team a call to chat through your concerns and find out how we can help.

If you know ‘Sam’, get in touch. We’d love to know if they got the job!

289 Views
Share :

MD for Risk Evolves, Helen has worked in the IT industry since 1986. Helen is a leader in the areas of risk management and operational improvement, and works with companies in senior governance, risk and compliance roles. She is a member of the British Standards Institute and is a member of the BSI Committee creating a new guidance standard to assist organisations on how to become cyber resilient. Helen and the team at Risk Evolves work with organisations to improve their resilience through stronger process implementation and better communication and education of staff.

Related Post
  • 27 November 2020

Who’s who in GDPR?

  • 27 November 2020

Who does what in GDPR?

  • 4 September 2019

GDPR Just got Updated – Please Introduce Yourself

  • 9 August 2019

12 Reasons Why an IT Provider Doesn’t ‘do’

  • 25 July 2019

What Does the BA Fine Mean for an

Leave a Reply