From email marketing through to cyber security, much of the advice on the GDPR focuses on the technical and process-based changes businesses need to make. But compliance isn’t something you can automate and ongoing compliance cannot be achieved unless the people within your business understand and are able to meet their data-related responsibilities.
Even with the best intentions, customer data requests can be overlooked, people can make security slip-ups and reporting obligations can be missed. Human error can mean sleepwalking towards a regulatory penalty – making this one of the most significant compliance risks faced by any business.
Here, we look at some of the common areas of data management, privacy and security that can be impacted by human error, what this means for your GDPR compliance strategy and what you can do to minimise the risk.
How your employees can jeopardise your GDPR compliance efforts
From staff inadvertently clicking on infected Web links to sending the wrong information to the wrong address, the majority of data breaches are thought to be down to human error. Even when organisations are targeted by attacks from the outside, more often than not it’s a case of the attacker taking advantage of weaknesses that could and should have been closed down. Last year’s WannaCry ransomware attack illustrated this, in which hackers exploited a weakness in Windows to cripple hundreds of thousands of computers across the globe. In fact, Microsoft had issued a patch to fix the weakness months before the attack. In the vast majority of cases, installing the patch would have insulated those endpoints from the attack.
Lack of training, a momentary lapse, procrastination – or simply having too many things to do: any of these can give rise to error. Here’s how this can hamper GDPR compliance:
Creating compliance blind spots
Examples include focusing your compliance efforts solely on customer data while overlooking other areas, such as how you safeguard your HR data. ‘Technical bias’ can also be an issue here – especially if your IT team is taking the lead on compliance. For instance, lots of attention might be paid to safeguarding digital data (e.g. through encryption and system access restrictions), but they fail to consider what to do with your filing cabinets full of legacy physical records.