If only you knew what it costUnless employees understand the legislative framework, the level of risk to their organisation (both reputational and financial) and how that effects what they do day to day, staff will never really fully understand the impact of their actions whilst carrying out their day-to-day tasks The introduction of compulsory breach reporting, coupled with a significant rise in the maximum fines for data breaches (increasing from £500,000 to a maximum of £20m or, if higher,”four per cent of global turnover) means that data could actually become a toxic asset the equivalent of asbestos for the 21st century digital age. We have seen significant fines issued where employees have not wiped hard drives in accordance with the correct policy for doing so and subsequently sold those hard drives on eBay containing the medical data of several thousand patients or where faxes containing details of child abuse proceedings have been sent to the wrong fax number and these fines will only increase under the new regime of compulsory breach reporting and heftier fines. Get the message out that careless mistakes cost a fortune, can affect the financial and reputational health of the company and even employment security.
Identify the problemBroadly speaking, human error tends to involve data posted, emailed or faxed to the wrong recipient or loss (theft?) of paperwork. Not encrypting data on portable devices and then losing those devices, and failure to redact data appropriately are also key areas where human error demolishes data protection. An especially common form of human error happens when e-mail marketing is sent out and all the recipients are identifiable to each other rather than being a sent one where email addresses are hidden via a blind copy (Bcc). Whilst there is software now available to organisations to help detect and prevent this kind of incident, this type of breach is still all too frequent and one such example occurred back in 2015 when a HIV clinic sent out a mailshot to over 700 users who had previously opted to receive test results and book appointment by e-mail. This resulted in the NHS Foundation Trust concerned receiving a £180,000 fine.
Make your company understand the issuesThere’s no substitute for education, inculcating staff culture with a profound understanding of the need to be careful. Whether it’s regular training sessions, company pep talks or poster campaigns around the office reminding people of the need to check and double check whether they are doing, staff training is perhaps the key to offsetting human error
Publish a protocolMany organisations have excellent written policies dealing with data protection matters covering things such as encrypting data on portable data storage devices, wiping hard drives after useAnd not taking physical hard copy files out of the office. However, if staff are not trained on these policies, how are they expected to comply with those policies if they can’t relate the written policies to their physical actions whilst carrying out their job on a day-to-day basis.
Keep up to date with softwareWhilst software is also available to help prevent the spread of computer viruses or malicious software used to access and steal data, prevention software is often one step behind the viruses themselves and as such there is also a window of opportunity where an employee innocently opens an e-mail or clicks on a link that releases the virus and infects their system, possibly having devastating consequence son their employers systems and data integrity. You need someone on the case, constantly monitoring this and employees need to be trained on an on-going basis around what to look out for suspicions e-mail or link wise.
ConclusionsSmart approaches to matters such as email encryption and online collaboration is only part of the way to ensure correct protection and control is applied to data. The rest is down to we human beings who all need reminding that while we may be smart enough to build the future we mustn`t be careless enough to throw it all away. Christian Mancieris a partner in the corporate and commercial law department at Gorvins solicitors and a specialist in data protection law.
Share this story