From email marketing through to cyber security, much of the advice on the GDPR focuses on the technical and process-based changes businesses need to make. But compliance isn’t something you can automate and ongoing compliance cannot be achieved unless the people within your business understand and are able to meet their data-related responsibilities.
Even with the best intentions, customer data requests can be overlooked, people can make security slip-ups and reporting obligations can be missed. Human error can mean sleepwalking towards a regulatory penalty – making this one of the most significant compliance risks faced by any business.
Here, we look at some of the common areas of data management, privacy and security that can be impacted by human error, what this means for your GDPR compliance strategy and what you can do to minimise the risk.
How your employees can jeopardise your GDPR compliance efforts
From staff inadvertently clicking on infected Web links to sending the wrong information to the wrong address, the majority of data breaches are thought to be down to human error. Even when organisations are targeted by attacks from the outside, more often than not it’s a case of the attacker taking advantage of weaknesses that could and should have been closed down. Last year’s WannaCry ransomware attack illustrated this, in which hackers exploited a weakness in Windows to cripple hundreds of thousands of computers across the globe. In fact, Microsoft had issued a patch to fix the weakness months before the attack. In the vast majority of cases, installing the patch would have insulated those endpoints from the attack.
Lack of training, a momentary lapse, procrastination – or simply having too many things to do: any of these can give rise to error. Here’s how this can hamper GDPR compliance:
Creating compliance blind spots
Examples include focusing your compliance efforts solely on customer data while overlooking other areas, such as how you safeguard your HR data. ‘Technical bias’ can also be an issue here – especially if your IT team is taking the lead on compliance. For instance, lots of attention might be paid to safeguarding digital data (e.g. through encryption and system access restrictions), but they fail to consider what to do with your filing cabinets full of legacy physical records.
Lack of training and clear responsibilities
A previous customer sends an email requesting copies of her account records. Your new customer services rep (who doesn’t know anything about the GDPR) has been told to prioritise replies to potential new customers, so this subject access request goes unanswered and un-actioned.
Meanwhile, your IT team has picked up on a data breach. This has been identified and rectified before any “risk to the rights and freedoms of data subjects” arose. The GDPR requires that the incident is logged internally. But each team member assumes that someone else has made the entry, so it isn’t dealt with.
Lack of visibility
Your customer data is scattered across multiple locations and formats. When a customer asks you to confirm what data you hold on them, you overlook some information held on a rarely-accessed database. This leads you to give a misleading and inaccurate response.
As another illustration, you receive a formal complaint from a customer who recently removed their consent for receiving marketing communications, but has just received your latest emailed newsletter. It turns out that you failed to apply the latest version of your communications suppressions list before sending out the email.
A hacker masquerading as a representative from your courier partner sends an email to your warehouse manager. Your employee responds, enclosing the names and delivery addresses for your next batch of orders.
Mid-way through installing critical software updates on office desktops, your in-house technician is called away to solve another problem. This distraction causes the patching round to fall by the wayside, leaving your network vulnerable to breaches.
In itself, a data breach doesn’t automatically give rise to a GDPR penalty. But if the safeguarding measures you had in place are not deemed “adequate”, or if your action (or lack of it) negatively impacts the rights of individuals, you may find yourself having to the deal with the data regulator.
To avoid this, organisations should focus on creating the type of environment where mistakes are less likely to happen.
Areas of training to cover include the following:
- Cybersecurity best practice. This includes password protection, avoiding fraud attempts (e.g. via spear phishing attacks) and what to do if an error has occurred.
- Responding to data subject requests. Especially relevant to customer service staff – including those who are responsible for administering your social media feeds. Employees need the ability to spot enquiries relating to data rights, such as requests for access or erasure. Failure to action these requests swiftly (and in no later than 30 days) can give rise to penalties – so your people need to appreciate the importance of this.
- Data governance. For privacy impact assessments, records of processing activities, internal breach logs and reporting breaches to the regulator and data subjects, ensure there are nominated persons responsible for these tasks. This avoids people mistakenly assuming that individual record keeping tasks are ‘someone else’s job’.