GDPR Compliance Lies with People Not Just Systems
It may seem an odd way to start thinking about GDPR, but consider the question – but what do you think is the root cause of most GDPR breaches? The answer may surprise you.
You may be thinking that most breaches occur due to ineffective systems or targeted cyber-attacks, but they are not the number one root cause.
In fact, most data protection breaches are caused by people rather than processes. A survey by CompTIA revealed that more than half of breaches had human error at their root rather than systems failure. Also, a GDPR summit in London found that 88% of people asked, said they believed human failure was yet again at the heart of their problems, posing the biggest risk to their security. This leads to one fundamental conclusion.
If businesses are serious about ensuring they’re compliant with GDPR, then their approach needs to put people before process.
There are two reasons why this is the case.
- Firstly, it’s people that design the systems and controls to comply with GDPR requirements – not computers; they come later.
- Secondly, when it comes to ensuring ongoing compliance, people are usually in the front line – not the systems they’re manipulating.
And if you still need persuading, take a look at this eye-watering statistic. Back in 2015, PriceWaterhouseCoopers found that larger firms were suffering breaches costing between approximately £1.5m to £3m. And for smaller businesses, the figures were still quite high, ranging from £75,000 to £310,000.
These are sobering amounts, and are only likely to get worse. But here’s the most startling statistic of all.
PwC found that among the worst instances, half of them were caused by what it calls “inadvertent human error”.
This means there’s a direct link between people not doing what they’re supposed to be doing, and the biggest fines being levied.
Flipping this around, people can make the difference between staying compliant, and being subject to large, possibly damaging fines.
The people factor
But, what can your people do? After all, isn’t GDPR a case of ensuring systems are robust and controls are working correctly? Think about these points
- You more than likely will have a policy on data consent and be implementing it – but are all consents being collected and recorded correctly? Are they being acted on appropriately?
- If a client applies for a right to erasure of their data, do people know how to execute the instruction in line with the policy?
- If a breach does occur, how effectively do you think people will be able to identify it, so it can be reported within the 72-hour period?
- Does everyone understand the protocols and requirements for transferring data to and from third parties?
- Are requests from clients processed correctly in all cases?
- Are subject access requests being processed correctly and on time?
- Have all the appropriate items been logged in your data inventory without any gaps?
There’s one common theme running through all of these – people. Hopefully it’s now possible to see that people lie at the heart of both the design and the operation of the controls. Without the knowledge and expertise of people, as well as the ability to operate processes efficiently, any business will be left exposed.
And notice – not a mention of cyber-crime or encryption protocols.
So, if people are so crucial to the success of GDPR implementation and ongoing compliance, what are the keys to unlocking this effectiveness?
Ultimately, this boils down to three things – understanding, knowledge and skills. All of which GDPR training can help solve.
Do they understand?
An appreciation of what GDPR actually is and what it means for both businesses and their customers is a good starting point. Without this understanding, people won’t necessarily know the reasons why they’re being asked to do what they’re supposed to do. Missing out on this vital step could prove very damaging. Under the Article 39 of the GDPR, the Data Protection Officer is tasked with "monitoring compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits"
Once the fundamentals are understood, it’s time to get a bit more granular with the training – and that’s when specific business requirements kick in. For instance, do you interact with third parties? Then the requirements here need to be trained out to the relevant people. Likewise, those who deal with subject access requests and erasure – do they know what they need to know?
Testing those skills is absolutely crucial to success – and this isn’t just a case of making people sit self-assessment questionnaires – although that is important. Finding the opportunity to test knowledge through fun means can be invaluable.
Help is at hand
You should be asking the following questions and resourcing training to address any gaps:
- Has everyone received at least basic training on GDPR and the essentials of data security?
- Does everyone understand customers’ rights to only have data processed with consent?
- Does everyone know what a breach can look like and how/when to report it?
- Is the right to be forgotten understood, and does everyone know who to refer such requests to?
- Are the security requirements for third party transfers understood?
Want to know more about GDPR?
We have created a glossary of GDPR definitions to help you navigate GDPR and DPA 2018 compliance. And we also have 50+ free compliance training aids as well as regularly publishing informative GDPR blogs including a regularly updated GDPR fines tracker for 2020.
If you're looking for comprehensive compliance training, why not visit our GDPR course library.
If you've any further questions or concerns about GDPR, just leave us a comment below this blog. We are happy to help!