Lack of training and clear responsibilities
A previous customer sends an email requesting copies of her account records. Your new customer services rep (who doesn’t know anything about the GDPR) has been told to prioritise replies to potential new customers, so this subject access request goes unanswered and un-actioned.
Meanwhile, your IT team has picked up on a data breach. This has been identified and rectified before any “risk to the rights and freedoms of data subjects” arose. The GDPR requires that the incident is logged internally. But each team member assumes that someone else has made the entry, so it isn’t dealt with.
Lack of visibility
Your customer data is scattered across multiple locations and formats. When a customer asks you to confirm what data you hold on them, you overlook some information held on a rarely-accessed database. This leads you to give a misleading and inaccurate response.
As another illustration, you receive a formal complaint from a customer who recently removed their consent for receiving marketing communications, but has just received your latest emailed newsletter. It turns out that you failed to apply the latest version of your communications suppressions list before sending out the email.
A hacker masquerading as a representative from your courier partner sends an email to your warehouse manager. Your employee responds, enclosing the names and delivery addresses for your next batch of orders.
Mid-way through installing critical software updates on office desktops, your in-house technician is called away to solve another problem. This distraction causes the patching round to fall by the wayside, leaving your network vulnerable to breaches.
In itself, a data breach doesn’t automatically give rise to a GDPR penalty. But if the safeguarding measures you had in place are not deemed “adequate”, or if your action (or lack of it) negatively impacts the rights of individuals, you may find yourself having to the deal with the data regulator.
To avoid this, organisations should focus on creating the type of environment where mistakes are less likely to happen.
Areas of training to cover include the following:
- Cybersecurity best practice. This includes password protection, avoiding fraud attempts (e.g. via spear phishing attacks) and what to do if an error has occurred.
- Responding to data subject requests. Especially relevant to customer service staff – including those who are responsible for administering your social media feeds. Employees need the ability to spot enquiries relating to data rights, such as requests for access or erasure. Failure to action these requests swiftly (and in no later than 30 days) can give rise to penalties – so your people need to appreciate the importance of this.
- Data governance. For privacy impact assessments, records of processing activities, internal breach logs and reporting breaches to the regulator and data subjects, ensure there are nominated persons responsible for these tasks. This avoids people mistakenly assuming that individual record keeping tasks are ‘someone else’s job’.
Automation and monitoring
Certain tools are designed to remove the possibility of human error. For instance, on the security front, specialist management tools can help keep you in better control of your encryption keys, making it less likely that encrypted data is erroneously ‘unlocked’ by cyber criminals.
As a rule, reliance on manual input increases the scope for human error. Suppressions lists are a good example: when a customer removes their consent to receive communications and you need to update your records, it is far more reliable if your list is updated automatically, rather than relying on an employee to update an excel spreadsheet.
As part of their wider cybersecurity strategy, businesses should also consider ‘early warning’ solutions that can notify you that a breach may have occurred. Security information and event management (SIEM) tools are designed to identify unusual and potentially harmful actions (an attempted login from a previously unseen device, for instance). So even if an employee has made a mistake, you can address it swiftly.
How should you report a data breach if one does occur?
You should certainly make your employees aware of your procedure in the even that they think a data breach has occurred. Certain data breaches need reporting to the regulator (the Information Commissioner’s Office (ICO) in the UK), but not every breach needs to be reported. Some data breaches need to be reported to the individuals affected. If your business experiences a data breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, you need to consider whether and, if so, the extent of the risk this poses to people. There’s a self-assessment tool available on the ICO website to help.
If you determine it is necessary to make a report, this is done by calling the ICO on 0303 123 1113, Monday-Friday from 9am-5pm. You’ll be asked what has happened, when and how you found out about the breach, the people affected and what you are doing as a result.