When undertaking the Data Protection Impact Assessment (DPIA) – a mandatory element of the GDPR, how many businesses will consider the risk staff bring with them?
Remember that the DPIA is a process all businesses need to go through to assess the risk they expose data subjects to in holding their data. If you are conducting a risk assessment, then you need to cover all aspects and one of those has to be the people aspect.
I recently spent an interesting afternoon looking at the actions taken by the ICO. I was surprised to see some trends. When I looked at the civil monetary penalties that have been imposed since 2010, most were for breaches under the Privacy of Electronic Communication Regulation (PECR). This covers spam emails, texts etc. However the next highest at 37%, seemed to be for things that one would class as human error or lack of knowledge. These things included:
- Disclosure of personal data via email to the wrong recipients. There were many of these.
- Personal data that was hand delivered to the wrong individual.
- Insecure disposal of personal data, both paper and electronic.
- Making personal data available via websites.
- Loss of paper or electronic files containing personal data.
Some of the stories actually made me laugh. How could such mistakes happen? Obviously they do.
When I examined some of the case histories in more detail, it was obvious that many mistakes had happened due to either lack of process or poor training of staff.
Would any organisation consider letting an employee loose on a Forklift truck without adequate training? Would they consider letting an employee use dangerous substances without adequate training? Or heavy machinery? My guess is no. The reason I would suggest that many companies would comply is because they understand the risk of the above activities. But there are also risks with data mismanagement. OK, they may not have the immediate impact of a Forklift driven by a maniac, but the consequences of data loss can be catastrophic for data subjects. If you want to see an example, listen to Bennett Arron. Bennett is a writer and stand-up comedian who had his identity stolen. He lost everything and it took him years to recover. Loss of data is not victim-less.
So when considering your risks regarding data, please add in the ‘human cock up’ factor and think about what can be done to reduce the risk. Certainly training will be a key factor, as will processes that are clear and simple. Data protection does not have to be complicated – just effective.
Oh and for those interested, the percentage of fines handed out for data loss from cyber attacks; that was 6.5% of the total.