GDPR and Information Security: Are your employees trained to protect data?

When the new data protection law comes into effect on 25th May, one thing won’t change – the need to protect personal data from accidental disclosure. This has long required organisations to train employees on information security, which includes understanding the range of threats and how to avoid them.

Time to assess your data protection culture

Now is of course the perfect time to double down on your efforts, particularly with the greatly increased fine that GDPR introduces for negligence leading to a data breach.

For example, one scenario no organisation wants to experience is an employee being tricked by a phishing email, only to discover that the individual never received any awareness or training on how to spot and avoid phishing. While the debate continues as to whether this on its own would warrant a fine, if combined with other information handling mistakes such as failing to encrypt sensitive information, then the chance of a fine greatly increases. As the maximum penalty will soon be €20 million or 4% of your global turnover, there is significantly greater incentive to minimise the chance of something like this occurring.

Cybercriminals want your personal data

I like to keep my eye on the Information is Beautiful data breaches graphic, which is regularly updated with the world’s biggest information disasters. It’s a good reminder that cybercrime isn’t going away any time soon.

The underlying problem is that personal data about customers, employees and other individuals has value on the black market. Larger companies seem like an obvious target, but many have more money to plough into information security training and awareness, supported by cutting edge security technology. They also tend to have a more organised approach, with a Chief Security Officer and a dedicated team driving the fight back. That doesn’t make them impervious, but it can make a cybercriminal’s job harder.

In this regard, small to medium-sized organisations can be a much easier target. The online world makes it easy to accumulate vast amounts of personal data, yet smaller ventures don’t tend to have the size, structure or budget to field the same sort of approach as a multinational. But having no approach is not an option in today’s world.

The obligation to train

Take phishing for example. This is the use of fraudulent emails, texts and other online messages to trick people into clicking on a website link, opening a file attachment, or disclosing sensitive information in a reply. File attachments can contain malicious software that steals information from the user without their knowledge, whereas phishing websites can trick you into entering your username and password, or infect your device with the same range of malicious software. The messages and websites are disguised to seem genuine, and a targeted phishing attack could even use an email that looks like it comes from someone within your own organisation.

Even the most advanced email filtering technology cannot give you 100% protection from a phishing email landing in the email inbox of one of your employees. The only option is to train employees to recognise what they look like, and know what to do when they see one. For example, you could provide a checklist for assessing whether emails are genuine that includes points such as:

  • Is the sender’s email address suspicious?
    Check whether the email address matches the company or person it is supposed to be from. If you can’t see the address, hover your mouse pointer over the sender’s name.

  • Is the message urgent, mysterious or enticing?
    Cybercriminals want you to act as quickly as possible without thinking, so urgent notifications from your bank, or mysterious file attachments are common tricks. Encouragement to click on a website link or open a file attachment is a strong sign of phishing.

  • Does the email seem unprofessional?
    Phishing emails have become quite sophisticated over recent years, but you can still see the odd clue such as poor spelling, grammar and formatting, and poor-quality graphics.

It’s not all about GDPR

Bear in mind that GDPR is exclusively focused on the way you protect personal data. However, more than likely you have a much wider range of information you don’t want to fall into the wrong hands.

Proprietary information such as ‘secret recipes’ and unique processes must be kept private to protect your competitive advantage. Equally, unpublished financial reports, salaries and internal investigations could invite reputational disaster if they entered the public domain.

Information security must be a vital component of your employee culture, and ignoring it can spell disaster. Over the coming months, it’s worth making sure that your employees understand which types of information need protecting, and how to protect them.

CONTACT JULIE

We hope you enjoyed this article by Julie Gingell. Please do not hesitate to contact Julie on 01727 798000 or email julie.gingell@salaw.com or click here to read more of Julie's articles by visiting her profile page. 
Read our latest views & insight about the GDPR
SA Law Red arrow neon light image
Views & Insights
What to expect in Data Protection Law in 2019

Our Data Protection Team highlight what we can expect to see from the Data Protection Act in 2019 and the potential impact of E-Privacy Regulations.

Read More
SA Law Red arrow neon light image
Views & Insights
Google issued with £44m fine over GDPR breach

Head of Employment and Data Protection, Chris Cook, explains Google's GDPR breach that led to landmark £44 million fine.

Read More
SA Law Red arrow neon light image
Views & Insights
Vital GDPR considerations when acquiring a company

Alasdair Bleakley talks to Acquisitions Daily about an important and difficult hurdle in corporate transactions: the GDPR.

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR - 6 Months On

Partner and Head of Employment & Data Protection Chris Cook comments on the impacts of GDPR over the past 6 months.

Read More
SA Law Red arrow neon light image
Views & Insights
ICO publishes passwords and encryption guidance

Partner, Chris Cook, identifies the new ICO guidance on passwords in online services and encryption under GDPR.

Read More
Stained glass window Employment SA Law
Views & Insights
GDPR and SARs; staying compliant and protected

Partner and Head of Employment & Data Protection, Chris Cook writes in Education Executive about the GDPR and SARs.

Read More
Red arrow light
Views & Insights
Divorce and the GDPR

In the Financial Times Adviser, Marilyn and Chris discuss the implications of being jointly instructed by one party in the proceedings.

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR: A five step guide to dealing with a data breach

Chris Cook shares a five step guide to dealing with a data breach including assessing risk & reporting.

Read More

© SA LAW 2019

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.