In laws such as POPIA and GDPR, there is a principle of implementing security safeguards. These safeguards do not necessarily fall into the categories of IT Information Security or having available tools like shredders, they also include ongoing education. In the movie Minority Report, Colin Farrell says “If there’s a flaw, it’s human. It always is.”, this is true for data protection too. If your teams don’t know what their responsibilities are for data protection and privacy, you have a potentially dangerous situation on your hands.
Teams need to know what protection is currently in place, and why they need to adhere to it. This is more akin to internal policy education. You very likely have processes and procedures in place already, it is important that teams follow them and that they take data privacy into account. If your teams do not know precisely what process they should be following, or what kind of system is in place to protect information, they may actively try to get around it without realising they are doing something counter to your compliance requirements. Sounds a bit of a reach, right? Let me give an example.
At one of the companies I assisted, an email platform that detects data leakages was implemented. This data leak prevention (DLP) involved scanning emails and attachments for anything that resembled a bank statement or credit card, and subsequently blocking the email and alerting management. A staff member, in this instance, was trying to apply for finance in their personal capacity and was sending the supporting documents to the bank. This included a bank statement, which set off the DLP. The emails were successfully blocked, but because the team member wasn’t aware that emailing a bank statement would do this, she continued trying to find a means to send the information.
Enter a newly appointed IT technician, someone with more knowledge of computer systems but also not aware of the new tool having been implemented, who assisted in getting the mail and information out of the organisation by configuring the employee’s personal email account on their laptop. This was 1) contrary to company policy, which the newly appointed technician perhaps didn’t realise in his eagerness to help, and 2) a successful bypass of the company’s DLP system. Had either been educated, the waste of resources would not have occurred, though it did point out how difficult it is to truly restrict information leaving the organisation without becoming draconian.
The law, or at least the basic fundamental principles and obligations, should be regularly communicated to all staff. This can be by means of email campaigns, posters in the office, online training, or even classroom training. I use a combination of these with my clients, including keynote talks, short-burst training, and ongoing campaigns over email. For example, in POPIA (South Africa’s Protection of Personal Information Act), the following principles apply:
- Processing Limitation
- Purpose Specification
- Further Processing Limitation
- Information Quality
- Security Safeguards
- Data Subject Participation
Teams from the highest echelons to the base level of the company should have a working knowledge of these principles and how to apply them in their day-to-day operations. If you are scratching your head at any of these, reach out to me for information on the training that I have available.
Deviances and Exceptions
Once you have the above in place, it’ll be easier for your team members to identify exceptions to and deviances from process and protection methods. A well informed team is a tremendous asset to your data protection efforts. Knowing when an incoming caller or visitor is trying to perform phishing or vishing can be the difference between a costly breach and a rock solid protection strategy.
Having these training programmes in place and documented, along with attendance where needed, goes a long way in supporting your efforts of abiding by the principles. If the regulator does come knocking, you can at least prove that you have these measures in place and that your staff are well aware of their responsibilities.
As the old legal proverb goes, “he with the most paperwork, wins”.