Compliance is all about people
In our article ‘Navigating a steep learning curve’ here, we explored tools and processes that you can use to ensure your employees remain compliant.
However, as useful as the tools may be, you can go a long way towards avoiding accidental data breaches by simply training up your employees. Make sure they understand what they need to do to remain compliant and void simple mistakes. Even the best Cybersecurity tools are only effective if people use them correctly.
In a 2016 Data Security Incident Response Report conducted by law firm BakerHostetler, and amazingly human error was found to be the leading cause of: –
- data incidents (37%)
- over phishing / malware (25%)
- external theft of device (22%) and employee theft (16%)
Why do employees make mistakes?
Something as simple as attaching the wrong document to an email may seem like a harmless mistake, but if that attachment contains information about an EU country, this will put you in breach of the new GDPR regulations.
The common reasons an employee may breach data security laws are: –
- Have a lack of understanding or knowledge
- Shadow IT
- Non-secure mobile devices
- Weak or stolen credentials
- Misuse of access privileges
Why you can’t afford mistakes in relation to the GDPR
The GDPR includes multiple requirements designed to make businesses more accountable for their data practices. The increase in territorial applicability. Severity of fines and conditions for consent will create a serious learning curve for compliance. To cope, employee training will need to be in-depth and thorough. The good news is, investing in holistic, company-wide training can get everyone, from the managerial level down, on board and up to date with the changes that are coming in May 2018.
How to keep compliant and avoid mistakes
Failing to address the human component of data protection leaves the impressive features of your security technology redundant. Considering the changes that the GDPR will bring, employee training should, at a minimum, cover the following core areas:
How to deal with personal information your company is holding: –
- Securely store personal information when it is not being used
- Encrypt personal information
- Perform and keep backups of information
- Limit the amount of personal information given out over the phone and to follow up with written confirmation.
Understand the main rights for individuals under the GDPR: –
- Subject access
- Ability to have information erased
- Prevent direct marketing
- Inaccuracies are corrected
How is your company seeking, obtaining and recording consent?
- The difference between consent and explicit consent
- Standards for consent as per the GDPR
- When to rely on consent and when to look for an alternative
You must document the details of the personal data you hold: –
- What kind of data is it?
- Where did it come from?
- Who it is shared with?
- Are you in compliance with the GDPR’s accountability system?
THE VALUE OF TRAINING
Without the right training, even the best enterprise IT platforms can be rendered irrelevant. If employees are unable or unwilling to use latest software, it will end up underutilized or not used at all. This can unintentionally lead to non-compliance in your organisation and increase the likelihood of fines.
Dedicated training courses and schemes can deliver targeted, practical experience to Users in the tools they use daily. Through this training, they can gain the knowledge and confidence they need to use such applications effectively. This can drive improved communication, collaboration and business information analysis. Most importantly, though, it can lead to data security best practice. Users that are familiar and adept with the tools they are working with are far less likely to make mistakes.
Organisations found in breach of the GDPR will face regulatory sanctions and reputational damage, at a minimum. The scale at which these changes are coming and the fines that come with them is monumental. Large organisations could suffer a massive setback if they were to be fined 4% of their annual income. But for SMEs, the potential thread of a regulatory fine may be enough to shut them down for good. Organisations should, therefore, seek potential managed service and Cloud providers to assess their situation regarding GDPR compliance.
Would you like more information on how to get your Users working to their highest standard and minimize mistakes? Contact us here