Although GDPR supervisory authorities can issue fines when companies disregard data protection, it’s really a last resort. We encourage you to view the GDPR as a useful framework for getting your Data Protection Right.Seen in this light the GDPR can become a business opportunity rather than an obstruction. It’s a chance to make intelligent use of data by processing it effectively and creating new business models. It can also be a PR and marketing opportunity. Your business can build trust with clients who are becoming more aware of how their personal data is being processed and are scrutinising companies handling of the data.This blog series has been about the nine pillars of data protection around which you can build a solid GDPR framework. This blog post discusses the seventh pillar: data security awareness. The human element remains, one of the biggest threats to good data security in any company. Untrained or unaware staff magnifies that risk manyfold..
The Legal ObligationData controllers are legally accountable for protecting the personal data of individuals that they process. This includes taking responsibility for the negligent acts of employees conducted during the course of their job. Controllers may even be y liable for deliberate data breaches undertaken by spiteful past employees. The ongoing Morrisons appeal is an example of just how far a company’s liability towards it’s current and past employees could go..Article 25 of the GDPR advocates data protection “by design and default”, this requires controllers “to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights”. This legal requirement encompasses staff training and awareness of the regulation and the employees legal obligations to protect personal data..
Vulnerability & Human ErrorWhen you read about big GDPR fines in headlines, you may have noticed they’re typically issued to entities that either have vast resources at their disposal or a particular moral duty to protect sensitive data. Some examples are Google, Dixons Carphone and a handful of European hospitals.This leads many smaller companies to believe they’ll be shown more leniency from the supervisory authority. An irony here, though, is that cyber criminals attack these smaller companies for the same reason.Criminals employ many types of techniques to obtain access to personal data, the most common examples are malware, phishing or SQL injections. But the primary exploit and vulnerability is humans.To illustrate how often humans cause data breaches, we reviewed the ICO statistics for quarter 3 of 2019. These stats are compiled from the breaches submitted by data controllers to the ICO after personal data breaches. The top six specified causes of data breach were as follows:
- Data posted or faxed to wrong recipient (289)
- Phishing (281)
- Data emailed to wrong recipient (269)
- Loss or theft of paperwork or data left in insecure location (253)
- Unauthorised access (149)
- Loss or theft of device containing personal data (120)
Staff Training & AwarenessWe can never completely eliminate human error. My father always used to tell me: “If I haven’t made my first error at work by 11am, I want to go home because I don’t want to see the one coming at noon.” He acknowledged his fallibility. Companies need to do the same by making staff aware of the potential negative outcomes of their actions and what they can do to become less vulnerable. Making sure your employees are being educated on threats like phishing attacks and malware is no longer an option.Is your staff aware of company data protection policy? Do they know best practices for when handling and transferring personal data? Staff training, when it’s done right, will instill this vital information into employees. So, who needs training and how?
Who Needs Training in Data Protection?All staff that handle personal data or have access to it should be trained in data protection. If you can access personal, you can cause a data breach. If you can access the people that access it, you’re still a risk. The list might include the following:
- Receptionists & customer service staff: often the front-line targets of phishing or malware attacks.
- Marketing & communications staff: must have a clear understanding of personal data and best practices around storing and processing it.
- Human resources staff: must know how to store and handle data securely and with confidentiality, including employee data and job applications.
- Accountants: should be aware of cyber-attacks and phishing as well as general data-security issues. The financial or banking details of companies are coveted by cybercriminals.
- IT staff: experts in technical security but not always fully apprised of company policies.
- New hires: need training in best practices at the earliest opportunity.
- Senior managers & directors: are accountable and should therefore be well versed in data protection.