You use technology at work. We all use technology at work. Which means that we all process personal information to a greater or lesser degree. But a lot of us don’t understand what that means. Which means that most of us don’t care. And what that means is that a lot of us do very little to protect the personal information that we process. I blame those writing about the GDPR.

A lot of journalists and commentators write about the GDPR (including me). Such writers like to concentrate on what the GDPR means for so called ‘Big Tech’ (capital ‘B’ and ‘T’ compulsory). But, most of us don’t work in ‘Big Tech’ (at least I don’t anymore). We might work in tech, but we aren’t big by ‘Big Tech’ standards. As a result, such articles still don’t make us understand, care or do anything about the personal information that we process in our day to day working lives.

Annual Report of The Irish Data Protection Commission

Take the reporting last week of the Annual Report issued by The Irish Data Protection Commission. All the headlines were about investigations into Facebook, Twitter, Apple, LinkedIn, WhatsApp and Instagram. That is because if you put those company names into your article, more people will read it. More readers, more impressions. More impressions, more advertising revenue. More revenue means a happy editor. In short, such articles are more click bait than useful commentary.

What is more important is what those journalists and commentators don’t write about. And that is what you should understand. Because if you understand, you will care and if you care perhaps you will do your bit to protect the personal information that you process every day.

The report let us all know what the Irish Data Protection Commission was up to in 2018. It was telling us what it had been dealing with in Ireland in 2018, including since the GDPR came into force on 25 May 2018. It was telling us why we should care.

A surge in complaints

There were 2864 complaints made to the Irish Data Protection Commission in 2018. This period covered both pre GDPR complaints and post GDPR complaints. Out of this total, 977 of the complaints were access rights complaints (or 30%). This was the biggest category of complaint. This can be compared to the number of complaints about electronic direct marketing which amounted to only 6% of the total.

There has not been a great change in the nature of the complaints being made year on year, but what has changed is the number. In 2013, 910 complaints were received. In 2018, 2864 complaints were received. That is an increase of 314%. In other words, people are beginning to care.

Data breaches are not what you think

Of the 2864 complaints made to the Irish Data Protection Commission in 2018, only 48 were categorised as data breach complaints. However, during the same period a total of 4,000 data breaches were notified. That is a lot of potential for regulatory action and bad publicity.

What is particularly interesting, is what caused the breaches. Less than 1% were caused by hacking. What caused by far the most data breaches was what was designated as “unauthorised disclosure”. In other words, someone disclosed personal information to someone who wasn’t meant to see it. And because computers don’t disclose personal information of their own volition, that means that a person was to blame.

Perhaps if that person had a better understanding of what the GDPR means for them they would have cared more and not made the mistake that led to the data breach.

How you ensure that you don’t have a data breach, or a complaint

You can never eliminate this risk completely, but you can reduce it. More importantly, you can reduce the risk of fines and bad publicity associated with such a breach or complaint.

If a breach occurs, or a complaint to the regulator is made, what you need to be able to demonstrate is that you understand your obligations, care about them and have done something about them. In other words, you need a comprehensive data protection compliance programme. That data protection compliance programme needs to make people care. You need to embed a culture of continuous compliance within your organisation.

What you should do first to reduce your risk

You have two choices. You either sack all your staff, or train them. I assume that you don’t want to do the former!

Train your staff so that they understand what data protection compliance is. If they understand, hopefully they will care. And if they care, hopefully they won’t make the sort of mistake that leads to a complaint or you having to report to your regulator.

How you build and maintain a culture of continuous compliance

You could build it yourself, but you might find that difficult and time consuming. You could get a consultant or lawyer to try and do it for you, but that is likely to be expensive. You could buy privacy compliance software, but that will only tick some of the boxes.

What you need is a comprehensive data protection compliance programme which shows you how to do compliance in an easy to understand way. This is what The Privacy Compliance Hub provides. The Privacy Compliance Hub is what true GDPR compliance looks like. It provides:

  • a privacy builder based on our unique Eight Privacy Promises
  • training for all of your staff
  • vital privacy information updated on a continuous basis
  • a suite of templates drafted for speed and ease of use
  • comprehensive GDPR compliant record keeping
  • reporting for you, your board and your regulators.

It enables you to own your compliance. Feel free to request a demo.