GDPR came into force in May but many businesses remain unclear about what the risks of non-compliance are and who is responsible for protecting their data. In order to ensure full compliance, a change in our data culture is required.
It may be tempting to invest in training that promises to tackle GDPR head on, but it is important to appreciate that there is no silver bullet for achieving GDPR compliance. Without a programme that goes beyond just theoretically educating employees on how to safely handle data, vulnerabilities will undoubtedly open up.
Tangible training is crucial and a massive part of achieving robust data security, as is ensuring that your workforce has access to the right tools and processes to do that.
Here, we will discuss the need for businesses to implement best business practice when it comes to protecting their data, and why there should be clearly defined roles when it comes to remaining GDPR compliant.
What’s all the fuss about?
Friday 25 May 2018 was a date marked in the diaries of almost every business – GDPR had come into effect.
With so much uncertainty around the Information Commissioners Office’s (ICO) ability to police compliance and therefore to impose fines, businesses were not and are still not entirely sure what the consequences will be or how it will truly affect them.
With a vast amount of misleading information available, it is easy to see why a business might have taken the quickest or cheapest approach to demonstrate a move towards becoming compliant in order to avoid potential fines.
However, these short-term fixes are not necessarily the long-term, on-going solution needed nor do they guaranteed that a fine will be avoided.
Although a data breach is likely to be caused by an employee, it is still the responsibility of the employer to ensure employees have the right tools to effectively manage data.
The reputational damage caused by being found to be non-compliant is still overlooked and far outweighs the fine itself.
Businesses found to be non-compliant may find their supply chain partners are also unwilling to take the risk of trading with organisations that aren’t remaining compliant, and the individual employees involved may fall victim to damage too.
Knowing your role
With the potential for businesses to fall foul of GDPR compliancy, it is imperative that everyone within an organisation knows their role when it comes to remaining compliant. This goes for the employers, as well as employees.
Sensitive data is likely entering a business every day and being handled by potentially more than one person. This movement and handling of critical data can easily leak through documents and emails, posing a threat to regulatory compliance and business success.
With GDPR training often being hypothetical and intangible, having a tool that can show data breaches and how they can occur can really help employees grasp the urgency for handling sensitive data in the correct way.
This means employee training must be implemented and maintained to ensure compliance remains. Employees have to understand the financial and reputational risk to their employer, and also personal risk for those that breach data protocol.
While it may be easy for employers to produce training for all employees that ‘ticks the boxes’ and covers all the information around GDPR, it is imperative that training is specific and targeted to general concerns within the business.
By making the training relevant to employees’ day-to-day responsibilities, it is much easier for them to understand and engagement is likely to be higher.
Setting the standard
Although a data breach is likely to be caused by an employee, it is still the responsibility of the employer to ensure employees have the right tools to effectively manage data.
By choosing a discovery tool that locates personal identifiable data (PID) from both structured and unstructured data sources such as inboxes, and highlights the movement of PID and business critical data, businesses of all sizes can ensure they have protected or quarantined everything that could pose a risk. This even includes new emails that have been sent since the GDPR deadline passed.
Having a tool like this can help employers and employees remain compliant. The technology driven assessments and powerful dashboards that data discovery tools offer provide critical information needed to form an on-going compliance strategy and can help support employers to create an effective training programme for employees.
With GDPR training often being hypothetical and intangible, having a tool that can show data breaches and how they can occur can really help employees grasp the urgency for handling sensitive data in the correct way.
Shifting the culture
Until the first major business fine occurs, businesses will not truly know the risk of not remaining GDPR compliant. However, that should not stop them from considering the wider business risks and implications of not protecting their data in an appropriate way.
With every new idea, it can take time for employees to become supportive and adapt a new approach. Therefore it is important that employers ensure that they demonstrate why this is a priority to the business by building bespoke, ongoing training and investing in the appropriate technologies and systems.
By combining an engaging training programme with new technology that can assist employees, businesses can ensure that implement a real long-term culture change around how GDPR is viewed within a business.
Want to learn more about this topic? Read GDPR: how HR can embrace it as a catalyst for positive change.