Not only has the Information Commissioner’s Office reported that human error is the leading cause of reported data breaches, but this week Trinity Chambers in Guernsey was handed a fine of £10,000 following a breach of data protection laws as a result of human error, highlighting the potential cost to businesses.
What did they do wrong?
The firm sent out personal data in respect of an individual and their family via email and post. A lack of security meant that unconnected third parties, who had no way of knowing the sensitivity of the content of the post and emails, then unintentionally had access to the sensitive personal data.
A complaint was made by the individual concerned following the unauthorised disclosures and an investigation into the incident revealed that repeated human error was to blame for the breach, resulting in a £10,000 fine being handed to the firm.
Why was the fine so large?
The data protection commissioner has noted that the fine is reflective of the firm’s disappointing response to the complaint and its failure to engage appropriately or show an understanding of the impact of the breach on the individual. The lesson here is that, in itself, a breach of data protection rules will not automatically incur a penalty. However, inadequate safeguarding measures followed by a delayed or obstructive (or even just negligent) response to a breach may lead to investigation and subsequent fines from the ICO.
Human error will always be a risk, but the response to that error is what is important both in terms of limiting any sanctions and maintaining a positive relationship between a business and the individuals with whom it deals.
Where does the risk lie?
Lack of understanding or awareness may mean (for example):
- a subject access request goes unanswered or is delayed
- misuse of personal data, eg it is used to contact individuals without consent
- personal data is used for purposes outside of the purpose for collection of that data
- personal data is inadvertently provided to unconnected parties
- delayed or no action following a security breach
- failure to update records or delete records.
All of the above would be breaches of the GDPR and may require immediate action or even reporting (depending on the circumstances).
How do we prevent or minimise the ‘human error factor’? TRAINING, TRAINING, TRAINING !
Compliance with GDPR cannot rely just on software systems and one data protection manager.
All individuals within organisations need to be aware of how data protection compliance impacts on their role and what their responsibilities might be (in a few cases, there may legitimately be none).
In order to combat this risk and employee lack of awareness, training should be provided to staff at induction and at regular intervals, especially if their role and responsibilities change. It is also crucial that staff know what to do if an error occurs. Communication at the earliest point is key in handling a breach, so creating a culture of trust is crucial.
Once the training and understanding is in place, investment in the technology to support good data protection procedures will enhance those procedures and allow easy management of the various tasks and obligations.