Even the best cybersecurity tools are only as effective if people use them correctly. As useful as the tools are to implement GDPR (see our previous blogs GDPR Compliance and GDPR Compliance – Navigating a steep learning curve ) – it is important to ensure that your business avoids accidental data breaches by training your employees. Make sure they understand what they need to do to remain compliant and avoid simple mistakes.
Why do employees make mistakes?
Human error is at the heart of most data breach incidents. Something as simple as attaching the wrong document to an email may seem like a harmless mistake, but if that attachment contains information about any individual from an EU country, this will likely put you in breach of new GDPR regulations.
The following is a list of the most common reasons an employee may breach data security laws:
- Lack of understanding or knowledge
- Shadow IT (where users inside organisations download and use software without explicit organisational approval.)
- Non-secure mobile devices
- Weak or stolen credentials
- Misuse of access privileges
Why you can’t afford mistakes in relation to the GDPR
The GDPR encompasses multiple requirements designed to make businesses more accountable for their data practices. The increase in territorial applicability, severity of fines and conditions for consent will create a serious learning curve for compliance. To cope, employee training will need to be in-depth and thorough. The good news is, investing in holistic, company-wide training can get everyone – from the managerial level down – on board and up to date with the changes that are coming in May 2018.
How to keep compliant and avoid mistakes
Failing to address the human component of data protection leaves the impressive features of your security technology redundant. Considering the changes that the GDPR will bring, employee training should, at a minimum, cover the following core areas:
How to deal with personal information your company is holding:
- Securely storing personal information when it is not being used.
- Encrypt personal information so it can be securely taken out of the office.
- Perform and keep back-ups of information.
- Limit the amount of personal information given out over the phone and to follow up with written confirmation.
Understand the main rights for individuals under the GDPR:
- Subject access.
- To have information erased.
- To prevent direct marketing.
- To have inaccuracies corrected.
How is your company seeking, obtaining and
- The difference between consent and explicit consent.
- The standards for consent per the GDPR.
- When to rely on consent and when to look for an alternative.
You must document the details of the personal data you hold:
- What kind of data is it?
- Where did it come from?
- Who is it shared with?
- Are you in compliance with the GDPR’s accountability system?
The value of training
Without the right training, even the best enterprise IT platforms can be rendered irrelevant. If employees are unable or unwilling to use latest software, it will end up underutilised or not used at all. This can unintentionally lead to non-compliance in your organisation and increase the likelihood of fines.
Dedicated training courses and schemes can deliver targeted, practical experience to users in the tools they use daily. Through this training, they can gain the knowledge and confidence they need to use such applications effectively. This can drive improved communication, collaboration and business information analysis. Most importantly, though, it can lead to data security best practice. Users that are familiar and adept with the tools they are working with are far less likely to make mistakes.
Organisations found in breach of the GDPR will face regulatory sanctions and reputational damage, at a minimum. The scale at which these changes are coming – and the fines that come with them – is monumental. Large organisations could suffer a massive setback if they were to be fined 4% of their annual income. But for SMEs, the potential threat of a regulatory fine may be enough to shut them down for good. Organisations should, therefore, seek potential managed service and cloud providers to assess their situation regarding GDPR compliance.
If you are looking to update your systems in order to comply with GDPR or want access to further GDPR resources contact Synergy Technology today.
Go to the Information Commissioner’s Office website for a full overview of the General Data Protection Regulation (GDPR).