The media often reports about the elaborate scams companies become victims of. Sometimes someone is mistakenly given access to a network that they should not have access to. Often attackers have an easy job. Social media sites such as Facebook and LinkedIn provide information to identify employees with access to networks and systems. Then a carefully crafted phishing email or even a phone call can mislead an employee into helping an imposter gain access. What is often glossed over, is the importance of GDPR staff training.
Without GDPR staff training, they become the weakest link
Despite what you might think, security is breached far more often as a result of human error than due to malicious attacks. Because mistakes happen, wherever people are working. For example, an employee needs leave early to collect their children from school on time and decides to take his laptop with a client’s (personal) data home with him to finish their work later. Good work ethics, but bad security. Laptops can easily be lost or stolen – including the data on them. In a similar way, personal data may be shared insecurely, like via e-mail or on memory sticks, and lost. Another common mistake is to send e-mails to a group of people using the ‘to’ field rather than the ‘bcc’ field. Quite a lot of people don’t even realize that that’s a problem. It is, in fact, unauthorized distribution of personal data. Both because an e-mail address is personal data and because the topic of the e-mail may reveal sensitive personal information. In 2018, an e-mail that was sent to victims of child sexual abuse resulted in a £200,000 fine by the British data protection authority ICO for exactly this reason.
Data security professionals know that this ‘human factor’ is often the weakest link in data security. When staff are not fully aware of the risks, they can easily make costly mistakes or fall prey to malicious attacks.
One of the principles of GDPR is that the controller is held responsible for ‘appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures’. What ‘appropriate’ means in a specific situation is not explicitly defined in the GDPR. The regulation, however, states that the measures should ‘(take) into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons’.
Jurisprudence shows that this responsibility (and accountability) includes cases where infringements were caused by the actions of an employee, and even if the breach was intentional. Whenever personal data is being processed the controller must ensure the data is safe. Thoroughly vetting staff who handle personal data and a strict access policy are necessary, but not enough. In the case of Morrisons (where the breach was intentional) the British Court of Appeal in its judgement considered that insurance against malicious acts by staff is the way to deal with them.
Policies that employees actively engage with during the course of their everyday employment are needed to ensure that they adhere to their company’s approach to data protection. An example might be a logging system recording who accessed which personal data on which date and time and for which processing operation.
As stated before, the majority of the risk involved in everyday processing is not malicious acts. The biggest issue is employees taking shortcuts and not keeping to the rules because they don’t see or understand the risk they take. The answer is to have well-defined work processes and internal audits to regularly evaluate and refresh those policies. And – last but not least – a good data breach response plan. Because regardless of the mitigating measures taken, the risk is always there. You need to be prepared because the way a company responds to a data breach can determine whether it survives the incident.
GDPR staff training for awareness
The bottom line is, of course, the responsibility to embed data protection ‘by design and by default’. That extends to your staff and their need to be aware of the risks involved in processing personal data and how to mitigate those risks. Most employees just need to be aware of the risks in their specific situation and the key points of GDPR. The idea is not to overwhelm them with lengthy documents, but some engaging and practical GDPR staff training, which you might top off with EXIN Privacy & Data Protection Essentials certification. The certification not only motivates, but it also helps employees prove their basic understanding of the GDPR and the practice of data protection.
High-risk users need bespoke blended learning, based on the company’s situation and their respective roles within it. Think of serious games, role-playing and other more practical learning experiences. Depending on the kind of processing involved, you could consider the EXIN Privacy & Data Protection Foundation or EXIN Privacy & Data Protection Practitioner certifications.
In both cases, you can’t stop there. GDPR evolves, and compliance requires continuous learning and reinforcement. As in other fields, continuous learning helps people to apply what they have learned in practice, contributing to data safety culture in the company.
This article has been written by guest author Leo Besemer.
 Article 24(1) and Recital (74)