Although this may seem an unusual way to start thinking about the GDPR, but consider the question – "What do you think will be the root cause of most of GDPR breaches?" Yes, breaches can occur due to ineffective systems, or targeted cyber-attacks, but what's the number one root cause?
The answer to where most data protection breaches arise from is actually people rather than processes. A survey by CompTIA revealed that more than half of breaches had human error at their root rather than systems failure. Also, a recent summit in London found that 88 per cent of people asked, said they believed human failure was yet again at the heart of their problems, posing the biggest risk to their security. This leads to one fundamental conclusion.
If businesses are serious about ensuring they’re compliant with GDPR, then their approach needs to put people before process.
There are two reasons why this is the case.
- Firstly, it’s people that design the systems and controls to comply with GDPR requirements – not computers; they come later.
- Secondly, when it comes to ensuring ongoing compliance, people are usually in the front line – not the systems they’re manipulating.
These are sobering amounts, and are only likely to get worse. But here’s the most startling statistic of all.
PwC found that amongst the worst instances, half of them were caused by what it calls “inadvertent human error”.
This means there’s a direct link between people not doing what they’re supposed to be doing, and the biggest fines being levied.
Flipping this around, people can make the difference between staying compliant, and being subject to large, possibly damaging fines.
The people factor
But, what can your people do? After all, isn’t GDPR a case of ensuring systems are robust and controls are working correctly? Think about these points
- You more than likely will have a policy on data consent and be implementing it – but are all consents being collected and recorded correctly? Are they being acted on appropriately?
- If a client applies for a right to erasure of their data, do people know how to execute the instruction in line with the policy?
- If a breach does occur, how effectively do you think people will be able to identify it, so it can be reported within the 72-hour period?
- Does everyone understand the protocols and requirements for transferring data to and from third parties?
- Are requests from clients processed correctly in all cases?
- Are subject access requests being processed correctly and on time?
- Have all the appropriate items been logged in your data inventory without any gaps?
There’s one common theme running through all of these – people. Hopefully it’s now possible to see that people lie at the heart of both the design and the operation of the controls. Without the knowledge and expertise of people, as well as the ability to operate processes efficiently, any business will be left exposed.
And notice – not a mention of cyber-crime or encryption protocols.
So, if people are so crucial to the success of GDPR implementation and ongoing compliance, what are the keys to unlocking this effectiveness?
Ultimately, this boils down to three things – understanding, knowledge and skills.
Do they understand?
An appreciation of what GDPR actually is and what it means for both businesses and their customers is a good starting point. Without this understanding, people won’t necessarily know the reasons why they’re being asked to do what they’re supposed to do. Missing out on this vital step could prove very damaging. Under the Article 39 of the GDPR, the Data Protection Officer is tasked with "monitoring compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits"
Once the fundamentals are understood, it’s time to get a bit more granular with the training – and that’s when specific business requirements kick in. For instance, do you interact with third parties? Then the requirements here need to be trained out to the relevant people. Likewise, those who deal with subject access requests and erasure – do they know what they need to know?
Testing those skills is absolutely crucial to success – and this isn’t just a case of making people sit self-assessment questionnaires – although that is important. Finding the opportunity to test knowledge through fun means can be invaluable.
Help is at hand
With so little time to go before GDPR goes live in May 2018, making sure your people understand what is required of them and can carry it out is something that needs to be addressed now. You should be asking the following questions and resourcing training to address any gaps:
- Has everyone received at least basic training on GDPR and the essentials of data security?
- Does everyone understand customers’ rights to only have data processed with consent?
- Does everyone know what a breach can look like and how/when to report it?
- Is the right to be forgotten understood, and does everyone know who to refer such requests to?
- Are the security requirements for third party transfers understood?