Our organization has historically been very lax with Data Protection and compliance, and we have a number of POS sales positions serving the public and taking payments; both Cash, Chip and Pin and Debit/Credit transactions through an e-portal.
As we're in the UK, the pending 2018 GDPR Act will have huge consequences on Data and information security for us, and as an IT dept. one of our biggest challenges is preparing the organization for the changes, and enforcing best practices on our staff.
It's recently come to light that certain vendors will often be logged on to more than one machine, with a different user performing financial transactions whilst 'borrowing' a colleagues credentials (the colleague in question is aware of this, apparently it 'speeds things up' when they're busy).
Of course this removes our ability to trace and audit transactions, but strictly speaking, is this illegal?
If so, which party would be prosecuted for this? The individual 'borrowing' the credentials, the colleague who has 'loaned' their login credentials out, or us as a company (even if we are unaware of the practice)?
I'm aware this crosses over with 'Law', but is more generally focused on IT protection practices so thought I'd post it here (don't want to cross-post). IF the community deems this off topic for this stack, could an admin kindly migrate it over to Law for me?