Since GDPR regulations came into effect, the need to audit and train your human firewall is more important than ever. In this third post in our series on steps to GDPR compliance, we focus on the biggest data privacy risk of all – people!
A 2016 Freedom of Information Request to the UK Information Commissioner's Office revealed that human error accounted for almost two-thirds (62 percent) of incidents reported to the ICO. A similar picture emerges in the U.S., where CompTIA's survey of trends in information security estimates that human error is a factor in 52 percent of security breaches.
The role of human error in data privacy and security breaches is both significant and well documented. But what's surprising is that this is not new information. Just a little digging into well-respected surveys and reports going back many years shows that human error has always been a major cause of data privacy incidents. We definitely know what the problem is, but it seems we're not having much success in solving it.
When it comes to the human factor in data protection we immediately think of the central role of training and communication and we usually see organizations doing three things:
- We produce policies setting out expected standards of behavior – and sometimes have employees sign off, agreeing that they have read the policy and agree to abide by it.
- We roll out data protection training – often an annual, or even less frequent, event depending on how successful we are at squeezing into the company's training calendar.
- We ensure we have an audit trail showing who completed the training and when – meaning that, if all else fails, we can rely on the "bad apple" defense.
What Could Possibly Go Wrong?
Of course, policies, training and audit trails are absolutely essential elements of an effective GDPR compliance program. The concern is less about what we do and more about how we do it to ensure that we actually drive the behavioral change that is so clearly needed. If we are really going to address the human factor, we need to understand why people don't follow policies, why they don't change their behavior and why they are so careless with such valuable data.
Start with Why
A recent survey by Gallup concluded that the world has an employee engagement crisis. “Worldwide, the percentage of adults who work full time for an employer and are engaged at work – they are highly involved in and enthusiastic about their work and workplace – is just 15 percent.” In short, this means that significant numbers of employees simply don't care about what happens at their company.
In the context of data protection, this finding suggests that we need to re-think our approach to the engagement tactics we use in our training and communications. Typically, there are two approaches: the CEO message (“I care so you should care”) and the fear factor (“do this or else”). Though tone at the top is vitally important, as is an appreciation of the scale of data privacy risk in businesses, in order to change employee attitudes and drive behavior we need something more.
Simon Sinek's Ted Talk about inspiring leadership is helpful here. Sinek explains that much human decision making is controlled not by rational and objective analysis but by the more primitive limbic system which deals with emotion and feeling. As advertising guru Robin Wight says, “The causal role of conscious thought has been vastly overrated, and what we are in fact is not rational creatures, but rationalizing creatures.”
Perhaps this is one of the reasons that a dialogue is emerging around the relationship between compliance in the workplace and shared human values. After all, there is a very human cost to non-compliance in most risk areas, and data privacy is no exception. Central to data privacy compliance is a very powerful theme of protection which, if personalized, can engage and motivate employees. Taking a personal, human view of the risk means we can help employees protect their own personal data and keep their families safe and this, in turn, may drive more compliant behaviors at work.
So What Does Good Look Like?
Training and communications are a central part of GDPR compliance and, potentially, one of the most effective ways of addressing the human error factor. Here's a short checklist of things to consider for an effective GDPR awareness program:
SAI Global offers a complete GDPR solution including software, advisory services and innovative communication and training solutions. You can learn more about our GDPR solutions here or contact us for a demonstration. Why not watch our Pre-recorded webinar Building a GDPR Human Firewall.