Security is a hot issue these days. Not a day goes by when we don't hear about a new breach, a new scandal, a new data issue, from Cambridge Analytica scraping Facebook accounts without user consent, the Kent and Medway NHS Trust, with improper data access by an employee without valid business reasons, National Lottery, and even the Dutch Data Protection agency accidentally leaking its own employees' personal data. You name it, it happened.
There are so many data breaches these days, that the main media hardly mentions them unless the case can be easily related to the viewers or readers, but there are lots more than we normally hear about.
One thing the NHS and Dutch case have in common is that it wasn't the technology that failed, but the breach was man made. In the Dutch Data Protection agency case, it was an accidental inclusion of staff names in PDF documents the organisation issued, names that they had removed from the document itself, but failed to remove from the meta data (this is the data the document holds about itself and is not usually readable without explicitly looking for it).
In the NHS case, although it seems there was no malice in the breach, it was a junior member of staff accessing records out of "curiosity". The person was dismissed from the Trust, but the breach stands and the Trust had to notify patients who's records were accessed and the incident reported to the ICO and police, who is pursuing a case against the staff member.
Most people think security has nothing to do with them, but it doesn't matter how much tech you add to ringfence your data, human interaction with the data is usually the weakest link, and it needs to be acknowledged, identified, and managed.
One of the issues the upcoming GDPR mentions is "security by design", and this does not necessarily mean that you need to go crazy on the security implementtion around data, it does mean all aspects of security must be looked at and incorporated into the design of any process where personal data will be used, and that includes not only the usual security around data storage and backup, but also procedures for all aspects of data access, manipulation and destruction once the data is no longer needed.
In the last few days I'm sure you have been bombarded with emails from organisations that are trying to update their consent to GDPR level, but I fear many companies will consider their GDPR approach complete once they update their consent, and will fall for that trap thinking they are compliant, until a data breach happens and they realise they are not.
Proper staff training is a huge step not just to compliance, but to de-risk your organisation to avoid situations like the NHS Trust described. Well trained staff will be much better at using common sense when recognising situations that perhaps were not contemplated originally but need to be dealt with.
© CIO on Demand UK