Could human error cause a data breach under the GDPR?

The General Data Protection Regulation (GDPR) aims to create a new data environment; one where individuals have better control over what happens to their personal information and where organisations are held to account if they fail in their safeguarding obligations.

By Archie Stephens

Frustrated Poet

July 2018

From email marketing through to cyber security, much of the advice on the GDPR focuses on the technical and process-based changes businesses need to make. But compliance isn’t something you can automate and ongoing compliance cannot be achieved unless the people within your business understand and are able to meet their data-related responsibilities.

Even with the best intentions, customer data requests can be overlooked, people can make security slip-ups and reporting obligations can be missed. Human error can mean sleepwalking towards a regulatory penalty – making this one of the most significant compliance risks faced by any business.

Here, we look at some of the common areas of data management, privacy and security that can be impacted by human error, what this means for your GDPR compliance strategy and what you can do to minimise the risk.

What constitutes a data breach by employees?

There’s a long list of ways employees could cause a data breach, such as:

  • Clicking on infected web links
  • Sending personal information to the wrong email address
  • Failing to use the BCC function when emailing personal information to a mailing list
  • Falling for a phishing scam
  • Neglecting to shred sensitive documents
  • Physical theft of paper records and/or devices (or leaving them unattended in a public place where someone else might steal them)

The majority of data breaches are thought to be down to human error. Lack of training, a momentary lapse, procrastination, or simply having too many things to do – any of these can make a data breach more likely. And that will hamper GDPR compliance.

Creating compliance blind spots

Examples include focusing your compliance efforts solely on customer data while overlooking other areas, such as how you safeguard your HR data. ‘Technical bias’ can also be an issue here – especially if your IT team is taking the lead on compliance. For instance, lots of attention might be paid to safeguarding digital data (e.g. through encryption and system access restrictions), but they fail to consider what to do with your filing cabinets full of legacy physical records.

Online GDPR training from The Privacy Compliance Hub enables you to train your staff wherever they are without the hassle.  We provide engaging training based upon our Eight Privacy Promises to make your employees understand and care about their responsibilities under the GDPR.

Watch video

Lack of training and clear responsibilities

A previous customer sends an email requesting copies of her account records. Your new customer services rep (who doesn’t know anything about the GDPR) has been told to prioritise replies to potential new customers, so this subject access request goes unanswered and un-actioned.

Meanwhile, your IT team has picked up on a data breach. This has been identified and rectified before any “risk to the rights and freedoms of data subjects” arose. The GDPR requires that the incident is logged internally. But each team member assumes that someone else has made the entry, so it isn’t dealt with.

Lack of visibility

Your customer data is scattered across multiple locations and formats. When a customer asks you to confirm what data you hold on them, you overlook some information held on a rarely-accessed database. This leads you to give a misleading and inaccurate response.

As another illustration, you receive a formal complaint from a customer who recently removed their consent for receiving marketing communications, but has just received your latest emailed newsletter. It turns out that you failed to apply the latest version of your communications suppressions list before sending out the email.

Staff exploitation

A hacker masquerading as a representative from your courier partner sends an email to your warehouse manager. Your employee responds, enclosing the names and delivery addresses for your next batch of orders.

Competing priorities

Mid-way through installing critical software updates on office desktops, your in-house technician is called away to solve another problem. This distraction causes the patching round to fall by the wayside, leaving your network vulnerable to breaches.

In itself, a data breach doesn’t automatically give rise to a GDPR penalty. But if the safeguarding measures you had in place are not deemed “adequate”, or if your action (or lack of it) negatively impacts the rights of individuals, you may find yourself having to the deal with the data regulator.

To avoid this, organisations should focus on creating the type of environment where mistakes are less likely to happen.

Training

Areas of training to cover include the following:

  • Cybersecurity best practice. This includes password protection, avoiding fraud attempts (e.g. via spear phishing attacks) and what to do if an error has occurred.
  • Responding to data subject requests. Especially relevant to customer service staff – including those who are responsible for administering your social media feeds. Employees need the ability to spot enquiries relating to data rights, such as requests for access or erasure. Failure to action these requests swiftly (and in no later than 30 days) can give rise to penalties – so your people need to appreciate the importance of this.
  • Data governance. For privacy impact assessments, records of processing activities, internal breach logs and reporting breaches to the regulator and data subjects, ensure there are nominated persons responsible for these tasks. This avoids people mistakenly assuming that individual record keeping tasks are ‘someone else’s job’.

Automation and monitoring

Certain tools are designed to remove the possibility of human error. For instance, on the security front, specialist management tools can help keep you in better control of your encryption keys, making it less likely that encrypted data is erroneously ‘unlocked’ by cyber criminals.

As a rule, reliance on manual input increases the scope for human error. Suppressions lists are a good example: when a customer removes their consent to receive communications and you need to update your records, it is far more reliable if your list is updated automatically, rather than relying on an employee to update an excel spreadsheet.

As part of their wider cybersecurity strategy, businesses should also consider ‘early warning’ solutions that can notify you that a breach may have occurred. Security information and event management (SIEM) tools are designed to identify unusual and potentially harmful actions (an attempted login from a previously unseen device, for instance). So even if an employee has made a mistake, you can address it swiftly.

How should you report a data breach if one does occur?

You should certainly make your employees aware of your procedure in the even that they think a data breach has occurred. Certain data breaches need reporting to the regulator (the Information Commissioner’s Office (ICO) in the UK), but not every breach needs to be reported. Some data breaches need to be reported to the individuals affected. If your business experiences a data breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, you need to consider whether and, if so, the extent of the risk this poses to people. There’s a self-assessment tool available on the ICO website to help.

If you determine it is necessary to make a report, this is done by calling the ICO on 0303 123 1113, Monday-Friday from 9am-5pm. You’ll be asked what has happened, when and how you found out about the breach, the people affected and what you are doing as a result.

If you wonder whether you are complying with the rules and regulations around the GDPR, take our 10 minute privacy health check to find out.

Get your free privacy health check

The Privacy Compliance Hub

Human error is a fact of life – and the risks associated with it cannot be eliminated completely. That said, through proper training, you can help to build the type of compliance-focused culture where mistakes are less likely. The right support is also crucial, and this is precisely what The Privacy Compliance Hub is designed to provide, telling you what to do, how to do it, who should do it and when. To discover how it works, take a look at our demo, or contact The Privacy Compliance Hub for a chat today.

More to watch and read