I caught up with Oz Alashe MBE, CEO of CybSafe and former UK special forces cyber security expert to discuss the crucial employees people play in helping organisations meet their GDPR obligations. I think you will agree it makes for compelling reading and we look forward to hearing more at LDSF UK.
What is GDPR and why is it important?
The EU's General Data Protection Regulation (GDPR) is an important piece of EU legislation designed to modernise our approach to data protection, and to consolidate legislation across the EU. At present, the UK’s legal system for data protection is the Data Protection Act 1998, brought into force in the wake of the 1995 EU Data Protection Directive. However, this will be superseded by GDPR when this is implemented in May 2018.
The importance of the legislation can’t be understated. To the general public, GDPR is important. These rules give people more say over what companies can do with their data, provides legal power for those who wish to take back ownership of their data, and means that individuals must provide explicit consent before their data is stored or used in the first place.
And while I don't believe that this should be the focus, it is worth noting that GDPR also introduces significantly tougher fines for non-compliance and breaches. Under GDPR, the ICO (Information Commissioner’s Office) can levy fines of up to 20 million Euros or 4% of group worldwide turnover (whichever is greater) against both ‘data controllers’ and ‘data processors’, if it feels that both have played a part in breaching the legislation.
How can organisations ensure their people understand those obligations?
Abiding by GDPR legislation means that across the entire company (including IT, marketing, customer support, and data teams), staff need to be aware of new policies and execution of any changes.
Education is key, but training needs to be thorough. A tick-box approach to GDPR compliance training is clearly not sufficient. Neither is overwhelming staff with information about GDPR or giving staff a balky GDPR ‘training manual’. People retain much more information in regular, smaller chunks, and the way that businesses encourage GDPR compliance needs to reflect this.
In short, GDPR compliance needs to be an ongoing item in staff training.
What implications does GDPR have for cyber security, and how can organisations best prepare?
Despite there being no specific cyber security regulations within GDPR itself, paradoxically, the new legislation actually has enormous implications in this area. This is because GDPR will levy fines against all companies who have allowed their data to be breached, regardless of whether that data was compromised accidentally or through malicious means. In other words, companies don’t have a “get-out clause” when they’re on the receiving end of a data breach.
Indirectly therefore, GDPR is going to encourage many more organisations to pay greater attention to cyber security as the financial costs of the not doing so could be crippling for a business.
What role do employees play in data governance?
Employees at almost all levels of an organisation handle important information that will fall under the scope of GDPR, and are thus central to the data governance strategy of a business. I think that the core role that staff can play is twofold:
First of all, staff need to be trained to defend against cyber attacks. I mentioned in my previous answer just how damaging a data breach can be under the conditions of GDPR, and staff can be a first line of defense to prevent this. Around 75 percent of breaches that occur in business relate to people, so protecting a business and avoiding large GDPR fines will for the most part involve training staff to act safely online.
The second role that employees need to play is simply understanding GDPR and personally being compliant to its terms. Staff should not only be aware of GDPR’s core idea of ‘privacy by design’, but they should also be in-the-know when it comes to some of the law’s key requirements: that any data that can be used to identify an individual is considered ‘personal data’, and that staff need to demonstrate valid consent for using personal information, to give two examples.
What weaknesses might a large organisation overlook?
Large organisations often assume that they merely need to think about data-handling and cyber security internally. However, in recent years, large companies are finding that the weak link in their data-security strategy is not in fact, their own cyber security defences. Increasingly, the chink in a company’s armour comes from the smaller companies they do business with.
Large businesses often rely on a vast network of suppliers and partners, many of which are SMEs. These can be easier targets for attackers when the target enterprise itself has already implemented a security program in-house.
Once GDPR comes into force, businesses will soon realise that it’s not enough to ensure their own network is secure, and that they must now also pay acute attention to securing the supply chain.
From your experience, are organisations’ employees adequately trained? What advice can you provide?
Companies often gloss over the human aspect of their organisation, but with GDPR forthcoming, staff training is an issue that businesses are going to have to confront head on.
When companies do decide to train their staff, the approach they take is often archaic and ineffective. Fundamentally, training needs to drive tangible changes in staff behaviour, and for this to occur, businesses need to consider a training program that considers the real world behaviours of people.
CybSafe’s program of training, for example, isn’t simply about fact-learning. Instead, the course is designed to drive tangible changes human psychology- to combat our instinctual human emotions that drive us to mindlessly click on links, for instance, even when we know full well that we shouldn’t.
Join Oz Alashe, UK Cloud's Nicky Stewart and our other panelists to discuss the implications of GDPR for business processes and people at Liferay Digital Solutions Forum UK in London on 8th November.