Although GDPR supervisory authorities can issue fines when companies disregard data protection, it’s really a last resort. We encourage you to view the GDPR as a useful framework for getting your Data Protection Right.
Seen in this light the GDPR can become a business opportunity rather than an obstruction. It’s a chance to make intelligent use of data by processing it effectively and creating new business models. It can also be a PR and marketing opportunity. Your business can build trust with clients who are becoming more aware of how their personal data is being processed and are scrutinising companies handling of the data.
This blog series has been about the nine pillars of data protection around which you can build a solid GDPR framework. This blog post discusses the seventh pillar: data security awareness. The human element remains, one of the biggest threats to good data security in any company. Untrained or unaware staff magnifies that risk manyfold..
The Legal Obligation
Data controllers are legally accountable for protecting the personal data of individuals that they process. This includes taking responsibility for the negligent acts of employees conducted during the course of their job. Controllers may even be y liable for deliberate data breaches undertaken by spiteful past employees. The ongoing Morrisons appeal is an example of just how far a company’s liability towards it’s current and past employees could go..
Article 25 of the GDPR advocates data protection “by design and default”, this requires controllers “to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights”. This legal requirement encompasses staff training and awareness of the regulation and the employees legal obligations to protect personal data..
Vulnerability & Human Error
When you read about big GDPR fines in headlines, you may have noticed they’re typically issued to entities that either have vast resources at their disposal or a particular moral duty to protect sensitive data. Some examples are Google, Dixons Carphone and a handful of European hospitals.
This leads many smaller companies to believe they’ll be shown more leniency from the supervisory authority. An irony here, though, is that cyber criminals attack these smaller companies for the same reason.
Criminals employ many types of techniques to obtain access to personal data, the most common examples are malware, phishing or SQL injections. But the primary exploit and vulnerability is humans.
To illustrate how often humans cause data breaches, we reviewed the ICO statistics for quarter 3 of 2019. These stats are compiled from the breaches submitted by data controllers to the ICO after personal data breaches. The top six specified causes of data breach were as follows:
- Data posted or faxed to wrong recipient (289)
- Phishing (281)
- Data emailed to wrong recipient (269)
- Loss or theft of paperwork or data left in insecure location (253)
- Unauthorised access (149)
- Loss or theft of device containing personal data (120)
Unauthorised access and phishing might be considered cyber issues, but human error often plays a part. Someone has to click on a link to make a phishing hack work and lack of awareness about phishing will help attempts to succeed. the weak passwords invite unauthorised access. The answer to reducing human error is clear.
Staff Training & Awareness
We can never completely eliminate human error. My father always used to tell me: “If I haven’t made my first error at work by 11am, I want to go home because I don’t want to see the one coming at noon.” He acknowledged his fallibility. Companies need to do the same by making staff aware of the potential negative outcomes of their actions and what they can do to become less vulnerable. Making sure your employees are being educated on threats like phishing attacks and malware is no longer an option.
Is your staff aware of company data protection policy? Do they know best practices for when handling and transferring personal data? Staff training, when it’s done right, will instill this vital information into employees. So, who needs training and how?
Who Needs Training in Data Protection?
All staff that handle personal data or have access to it should be trained in data protection. If you can access personal, you can cause a data breach. If you can access the people that access it, you’re still a risk. The list might include the following:
- Receptionists & customer service staff: often the front-line targets of phishing or malware attacks.
- Marketing & communications staff: must have a clear understanding of personal data and best practices around storing and processing it.
- Human resources staff: must know how to store and handle data securely and with confidentiality, including employee data and job applications.
- Accountants: should be aware of cyber-attacks and phishing as well as general data-security issues. The financial or banking details of companies are coveted by cybercriminals.
- IT staff: experts in technical security but not always fully apprised of company policies.
- New hires: need training in best practices at the earliest opportunity.
- Senior managers & directors: are accountable and should therefore be well versed in data protection.
Exactly who needs training in data protection varies from company to company. Its relative cost and inconvenience factor tends to go up for smaller companies. Nevertheless, it’s an invaluable part of data protection
Awareness Training
GDPR training must also cover areas, like identifying and handling subject access requests (SARs) and record-keeping requirements.. This lays a solid foundation of the legal requirements for staff awareness. But it’s also important to train on the exploits themselves – like phishing and social engineering. If a company designates a DPO, it is that person’s responsibility to be involved in defining the staff training program.
A chief aim of awareness training is to reduce the number of security incidents that occur. For this to work, companies need a system that lets employees report incidents without fear of negative repercussions.. Maintaining a breach log, like the one found in PrivIQ software, is where security events are recorded is part of data protection awareness.
Training should be as hands-on as possible in order for the message to stick. One way of achieving this is with a simulated phishing attack, which many specialist companies, like KnowBe4 offers.
Fix the Weakest Link
Human error in one form or another is a prolific cause of data breaches. It needn’t even be an attack that causes the breach.In fact, sometimes data just falls into the wrong hands by accident.
Training about data protection risks and awareness of internal processes and policies is a key part of any GDPR compliance framework. Tools like PrivIQ, can help make sure you’re data protection is adequate to the risks. Why not book a demo today?