Compliance is all about people
In our article ‘Navigating a steep learning curve’ we explored tools and processes to ensure your employees remained compliant. Compliance is all about people.
However, you can go a long way towards avoiding accidental data breaches by training up your employees. Employees need to understand the requirements to remain compliant and therefore, avoiding simple mistakes. Cybersecurity tools are only effective when used correctly.
It may be a harmless mistake attaching the wrong document to an email, but if the attachment contained information about an EU country, you will be in breach of GDPR regulations.
Five of the most common reasons your employees breach data security laws: –
- Lack of understanding
- Shadow IT
- Non-secure mobile devices
- Weak or stolen credentials
- Misuse of access privileges
Why you can’t afford mistakes in relation to the GDPR
The GDPR includes multiple requirements designed to make businesses more accountable for their data practices. The increase in territorial applicability. Severity of fines and conditions for consent, will create a serious learning curve for compliance. Employee training needs to be in-depth and thorough.
Company-wide training ensures everyone, is on board and up to date with the changes coming in May 2018.
How to keep compliant and avoid mistakes
Should you fail to address the human component of data protection, the features of your security technology will become redundant. Considering the changes that the GDPR will bring, employee training should, at a minimum, cover the following core areas:
How to deal with personal information your company is holding: –
- Securely store personal information when not being used.
- Encrypt personal information so it can be securely taken out of the office.
- Perform and keep backups of information.
- Limit personal information given out over the phone then follow up with written confirmation.
Understand the main rights for individuals under the GDPR: –
- Subject access
- The opportunity to have information erased
- Prevention of direct marketing
- To have inaccuracies corrected
How is your company seeking, obtaining and recording consent?
- The difference between consent and explicit consent
- Standards for consent as per the GDPR
- When to rely on consent and when to look for an alternative
You must document the details of the personal data you hold: –
- What kind of data is it?
- Where did the data come from?
- Who shares this?
- Are you in compliance with the GDPR’s accountability system?
THE VALUE OF TRAINING
Your latest software will become underutilized if employees are unable or unwilling to use it. This will unintentionally lead to non-compliance within your organisation, increasing the possibility of fines.
Dedicated training courses and schemes deliver targeted, practical experience to Users via the tools they use daily. With training, Users gain the knowledge and confidence they need to use such applications effectively. This drives improved communication, collaboration and business information analysis. Most importantly, though, it will lead to data security best practice. Users familiar with the tools they are working with, are less likely to make mistakes.
Companies in breach of the GDPR face regulatory sanctions and reputational damage, at a minimum. The scale at which changes are coming – and the fines that come with them – is monumental. Large organisations would suffer a massive setback if fined 4% of their annual income. But, for SMEs, the potential threat of a regulatory fine may be enough to shut them down for good. Organisations should, therefore, seek potential Managed Service and Cloud providers to assess their situation regarding GDPR compliance.