mixmagic - stock.adobe.com

Why ‘no breach’ is bad news for your compliance

You might think it’s a good thing if your organisation has a clean record when it comes to data breaches, but this is not necessarily the case

We live in an era where data privacy and security are high in the public consciousness, particularly since the implementation of GDPR in May 2018, with major data breaches often making national news, such as the recent leak of addresses in the New Year’s Honours List and the Travelex cyber attack. 

This increase in awareness – and the way news of a breach spreads like wildfire, creating reputational damage – means the role of the data protection officer (DPO) has become increasingly important in an organisation.

The fundamental responsibility of the DPO is to protect the rights and freedoms of data subjects, which means a key part of the role is preventing breaches from happening.

What keeps DPOs awake at night is the fear of seeing a breach in the media, before they are made aware of it by their colleagues. Not only does this put the organisation on the back foot when it comes to responding, it also increases the likelihood of a fine.

So, if your organisation has a “clean”, no breach record, that’s a good thing, right? Wrong.

When we encounter businesses that report few or no breaches, it raises several red flags. It means one of two things – they are perfect (unlikely), or their employees are nervous about reporting a breach, don’t know how to recognise one, or aren’t aware of the process to report one. All of which are issues that need addressing urgently.

A data breach isn’t confined to those major stories that hit the headlines. Most organisations will have breaches on a fairly regular basis – for example, emails sent to the wrong person, lost documents at the printers or missing USB sticks – all of which should be reported. 

Breaches as a catalyst for organisational change

Our view is that, while breaches are worrying and need to be managed correctly, they shouldn’t necessarily be perceived as negative incidents.

Instead, they have the potential to act as a catalyst for organisational change, providing real-world examples to change behaviours and embed best practice throughout an organisation. It is much more powerful to engage with staff about something that actually happened, rather than theoretical examples, and discuss how it could be avoided in the future.

Read more about GDPR compliance

Regular analysis of breaches can help identify areas in a business that need addressing, such as a poor security profile, a lack of training on IT systems or low awareness of the process of recognising and reporting a breach. But, in an organisation where potential breaches are being missed or simply not flagged, DPOs don’t have access to this critical insight.

So, what are the practical steps DPOs can take – both consultants and in-house – to effect this organisational change and ensure their clients and organisations are ‘data aware’?

1. Regular training

A common mistake is treating data privacy compliance as a one-time issue. It requires a long-term approach. For example, we saw many organisations invest heavily in training in the run up to the implementation of GDPR in May 2018. Compliance box, ticked, right?

Basic information security training should take place annually, and should also be an important part of the induction process for any new employee. 

As a minimum, this should include:

  • Where your information security policies are located
  • The appropriate use of work systems
  • The acceptable complexity of passwords
  • How to use corporate assets
  • Your escalation process in the event of a breach

2. Take the “fear” out of reporting a breach

If an employee is a responsible for a breach, the “fear factor” could prevent them from reporting it. The fact is, we’re human and we lose things or make mistakes. A key part of creating a positive culture around data privacy is to ensure employees are not scared about reporting an accidental loss. What isn’t acceptable is to not come forward when the loss occurs.

As part of ongoing staff training, organisations should adopt an “R&R” approach:

  • Recognise: clearly explain what constitutes a breach, and what doesn’t
  • Report: communicate the reporting process - whether that is to line manager, HR department or the DPO – and stress that, while the employee won’t face disciplinary action in the event of an accidental breach, it is important they report it to help manage the situation appropriately.

Adopting a positive “data aware” culture

As DPOs, we are responsible for protecting the rights and freedoms of data subjects.  This includes limiting and mitigating risk when their data has been lost or misused. Therefore, an organisation that claims it has experienced little or no breaches is not only putting itself at risk, it could be leaving its data subjects vulnerable. 

So, while DPOs that adopt and embed a positive, “data-aware” culture may find themselves receiving more reports of breaches, this should be treated as an opportunity to regularly review systems and processes, and ultimately protect the best interests of the data subjects.

Byron Shirley is co-founder of The Compliance Space, a supplier of compliance management software to consultants who advise on GDPR compliance.

Read more on Regulatory compliance and standard requirements