In any process or compliance exercise, it is easy to make mistakes along the way. In this post, I’m going to detail a few of the mistakes I’ve seen and what can be done to avoid them.
One of the common principles across privacy laws is that information should be accurate and up to date. Flybe, an airline in the UK, found themselves in hot water after trying to do the right thing – by sending an opt-in email to a mailing list where recipients had already opted out. This landed them with a fine of £70,000.
Should your information be out of date, and you mail a mailing list where members have already opted out, you will be in contravention of the law. Always ensure that you use the latest lists in your marketing, and don’t push your luck by mailing someone who has already opted out of your communications.
Staff Intentionally Bypassing Controls
Part of compliance with standards such as ISO 27001 or data privacy laws involves tightening security within your network – as such things like USB flash drives and mailing certain information may be restricted as part of Data Leak Prevention (DLP). In these cases, staff are restricted from writing or sending potentially sensitive data outside of the network.
This is where “a little knowledge is a dangerous thing” comes in, and I’ve seen it on numerous occasions where an IT team member shows another staff member how to bypass DLP because they are trying to be helpful. It is therefore of vital importance that everyone in the IT department is aware of the obligations and implications of DLP. Sure, these bypasses speak to DLP’s limitations, however you don’t want a race to the bottom of the barrel as far as locking down absolutely everything goes.
Lastly, it is key to not just assume that your data privacy exercises are taking place and that your compliance is in order. Compliance to principle based laws like GDPR and POPIA is an ongoing exercise that should be regularly monitored.
Much like company culture is not a “set-and-forget” process, Data Privacy needs to be maintained on a regular basis, particularly in agile companies where processes and data flows can change in no time at all. A management tool that supports your controls for compliance would go a long way in performing this maintenance.
Close to home?
It is very easy to fall into any one of these traps, often without even realising it until it’s too late. If you feel you need a helping hand with the mistakes detailed in this article, or if you simply wish to fast-track your compliance efforts, please reach out for a meeting. Data Privacy can be daunting given the level of attention needed in addition to your already busy day, so why not outsource to a network of trusted advisors such as those partnered with Ross G Saunders.