It may seem odd to think about GDPR, but consider the question – what's the root cause of most GDPR breaches?
The first answer that comes to mind might be that most breaches occur due to ineffective systems or targeted cyber-attacks, but they are not the number one root cause.
People rather than processes cause most data protection breaches. A survey by CompTIA revealed that more than half of breaches had a human error at their root rather than systems failure.
If businesses are serious about ensuring they're compliant with GDPR, their approach needs to put people before the process.
There are two reasons why this is the case.
And if you still need persuading, take a look at this eye-watering statistic. PriceWaterhouseCoopers found that larger firms suffered breaches costing approximately £1.5m to £3m. And for smaller businesses, the figures were still quite high, ranging from £75,000 to £310,000.
PwC also found that half of the worst instances were caused by "inadvertent human error".
This finding directly links people not doing what they're supposed to and the biggest fines levied.
Flipping this around, people can make the difference between staying compliant, and being subject to large, possibly damaging fines.
Isn't GDPR a case of ensuring robust systems and controls are working correctly? Think about these points:
There's one common theme running through all of these – people. People are at the heart of both the design and operation of the controls. Without the knowledge and expertise of people, and the ability to operate processes efficiently, businesses will be exposed.
So, if people are so crucial to the success of GDPR implementation and ongoing compliance, what are the keys to unlocking this effectiveness?
Ultimately, this boils down to understanding, knowledge, and skills. All of which GDPR training can help solve.
An appreciation of GDPR and what it means for both businesses and their customers is a good starting point. Without this understanding, people won't necessarily know why they're asked to do what they're supposed to do.
Missing out on this vital step could prove very damaging. Under the Article 39 of the GDPR, the Data Protection Officer is tasked with
"monitoring compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits"
Once the fundamentals are understood, it's time to get a bit more granular with the training – and that's when specific business requirements kick in. For instance, do you interact with third parties? Then the requirements here need to be trained out to the relevant people. Likewise, those who deal with subject access requests and erasure need to know what they need to know.
Testing those skills is absolutely crucial to success – and this isn't just a case of making people sit self-assessment questionnaires, although that is important. Finding the opportunity to test knowledge through fun means can be invaluable.
It is vital to ask the following questions and resource training to address any gaps:
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.