The first answer that comes to mind might be that most breaches occur due to ineffective systems or targeted cyber-attacks, but they are not the number one root cause.
People rather than processes cause most data protection breaches. A survey by CompTIA revealed that more than half of breaches had a human error at their root rather than systems failure.
GDPR compliance sits with people not processes
- The debate between humans & systems
- The people factor
- Do people have an understanding?
- Drilling down on knowledge & skills
- Help is at hand
If businesses are serious about ensuring they're compliant with GDPR, their approach needs to put people before the process.
The debate between humans & systems
There are two reasons why this is the case.
- People design the systems and controls to comply with GDPR requirements – not computers; they come later.
- When it comes to ensuring ongoing compliance, people are usually in the front line – not the systems they're manipulating.
And if you still need persuading, take a look at this eye-watering statistic. PriceWaterhouseCoopers found that larger firms suffered breaches costing approximately £1.5m to £3m. And for smaller businesses, the figures were still quite high, ranging from £75,000 to £310,000.
PwC also found that half of the worst instances were caused by "inadvertent human error".
This finding directly links people not doing what they're supposed to and the biggest fines levied.
Flipping this around, people can make the difference between staying compliant, and being subject to large, possibly damaging fines.
The people factor
Isn't GDPR a case of ensuring robust systems and controls are working correctly? Think about these points:
- You will likely have a policy on data consent and be implementing it – but are all consents being collected and recorded correctly? Are they being acted on appropriately?
- If a breach occurs, how effective will people be in identifying and reporting it within 72 hours?
- Does everyone understand the protocols and requirements for transferring data to and from third parties?
- Are requests from clients processed correctly in all cases?
- Are subject access requests being processed correctly and on time?
- Have all the appropriate items been logged in your data inventory without gaps?
There's one common theme running through all of these – people. People are at the heart of both the design and operation of the controls. Without the knowledge and expertise of people, and the ability to operate processes efficiently, businesses will be exposed.
So, if people are so crucial to the success of GDPR implementation and ongoing compliance, what are the keys to unlocking this effectiveness?
Ultimately, this boils down to understanding, knowledge, and skills. All of which GDPR training can help solve.
Do people have an understanding?
An appreciation of GDPR and what it means for both businesses and their customers is a good starting point. Without this understanding, people won't necessarily know why they're asked to do what they're supposed to do.
Missing out on this vital step could prove very damaging. Under the Article 39 of the GDPR, the Data Protection Officer is tasked with
"monitoring compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits"
Drilling down on knowledge & skills
Once the fundamentals are understood, it's time to get a bit more granular with the training – and that's when specific business requirements kick in. For instance, do you interact with third parties? Then the requirements here need to be trained out to the relevant people. Likewise, those who deal with subject access requests and erasure need to know what they need to know.
Testing those skills is absolutely crucial to success – and this isn't just a case of making people sit self-assessment questionnaires, although that is important. Finding the opportunity to test knowledge through fun means can be invaluable.
Help is at hand
It is vital to ask the following questions and resource training to address any gaps:
- Has everyone received at least basic training on GDPR and data security essentials?
- Does everyone understand customers' rights to only have data processed with consent?
- Does everyone know what a breach can look like and how/when to report it?
- Is the right to be forgotten understood, and does everyone know to whom to refer such requests?
- Are the security requirements for third-party transfers understood?
Want to learn more about GDPR?
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.