More than three months after GDPR came into effect, businesses have found themselves between a rock and a hard place - taking every step possible to correct protocols, policies and procedures, but also aware that employees remain the weakest link in the security chain.
Consequently, many companies have understandably felt the need to make clear that individuals have responsibility for compliance and there’s no doubt this has raised the stakes in employees’ minds that negligence leading to data breach could cost them their job.
Actually, they’re not wrong in this assumption. Research we conducted with Ipsos just before the GDPR deadline passed indicated that, 31% of British businesses that have suffered a data breach have sacked an employee as a result. Yet, the same survey found a disturbing lack of training on basic fundamentals: just over half (55%) of large businesses have trained their employees on the use of public Wi-Fi, and only 70% have provided training on identifying fraudulent emails (the latter was the highest rate among any critical security training).
While at one level, it’s easy to say that a lot of these precautions are common sense, it is hard to be fully mindful all the time without consistent, clear training. It can’t just be thrown into an employee handbook and considered job done. Businesses also have a responsibility here.
A level of accountability is, of course, necessary, because businesses will not be GDPR compliant without it. Yet employees will feel unduly pressurized if they are not well trained. That damages trust and engagement between employer and employee.
Here are five simple, practical steps for businesses to achieve accountability, without crushing employee spirit:
- Audit your training – Audit your existing training procedures and frequencies to ensure that training is sufficient to ensure recall is high and that it is delivering actionable results. Are basic instructions like caution regarding opening email links (even from apparently trusted sources) and the use of public WiFi included within your syllabi? Are employees well aware of all prospective data risks? Use online learning management tools to build training courses that are repeatable and easy to update, and thus cost effective.
- Set the right tone from the outset – For all new employees, it’s critical to underline their roles and responsibilities and leave no room for misunderstanding about what is expected of them from a data security point of view. However, this is also the time to reassure them about all of the support they are able to lean on to avoid compromising confidential information. Work with your HR team and line managers to ensure that these resources are clearly signposted within induction plans.
- DPO, IT and HR unite! – Don’t let GDPR and data security become the buried giant that people only hear about once a year or when they join the company. Unite your Data Protection Officer, IT and HR leads to build and deliver an internal communications plan that keeps employees engaged. Bringing those perspectives together is crucial in this endeavor to ensure you strike that balance between reminding staff on accountability and scaring them stiff.
- Focus on Collective Responsibility – Reassure and remind employees about the tireless work that goes into keeping the business safe in other departments. That’s not just GDPR work. Position all of the work that IT and the DPO is doing to keep the business safe and reduce the risk employees are exposed to – encrypting laptops, mandating VPN to access email/files outside of the office, destroying end of life devices. This tactic both underlines the importance of strict data protection procedures and makes clear that everybody is in it together.
- Lead from the front – When you think about your company, can you honestly say that the bad habits related to data security are limited only to the junior employees? The leadership team needs to walk the walk in order to truly instill the aforementioned collective responsibility. Think about strictly implementing a clean desk policy, privacy screens, diligence on screen locks, shredding documents, and encouraging colleagues to do the same by example.
As ICO enforcement fines begin to appear more frequently and at higher sums, it will be easier to let the fear factor in and remind employees of their contractual responsibility. Creating a climate of fear around data security errors can be counterproductive, however, and employees need to feel supported with both training and resources.
There are simple practical steps to avoid falling into this trap, but they must be well organized and executed to ensure compliance, maintain employee engagement and prevent unnecessary data breaches and corresponding job losses.