The deluge of emails asking us to reconfirm our desire to be on mailing lists might have subsided now that GDPR has been in force for almost a year, but it is important we make protecting personal data a day-to-day part of our work, whether we are managing a customer list for a small business or sending marketing emails to hundreds of thousands of contacts for a major brand.
Our new position paper, published this month, looks in depth at a side of data protection that is often forgotten: skills for data protection. GDPR was designed to make data protection easier for smaller organisations. For example, companies below a certain size don’t need to employ a dedicated Data Protection Officer. But while compliance might be simpler, it doesn’t mean it is effortless.
There are countless training courses available to help people learn how to be Data Protection Officers (dedicated staff with responsibility to ensure that personal data is protected within an organisation), and growing numbers of certifications for this role. But data protection goes beyond being just the responsibility of one staff member, especially in smaller organisations that don’t have to have a Data Protection Officer. The chances are, if you work in a business or organisation dealing with members of the public, then your work involves some element of handling personal data. From maintaining mailing lists to send promotions to, or managing appointments, there are lots of ways that regular workers can end up processing data, so it is important that they know how to do so safely.
It can be tempting to brush off the risk of a data breach happening, especially when you have priorities that feel more immediate. But the fact is that a data breach could seriously harm your business by damaging customer trust, causing loss of business, and subjecting you to heavy penalties. In short, staff who don’t know how to process data safely are a risk to your business.
Data breaches that could have been avoided if basic principles of data protection had been applied include the exposure of 31 million customer records by app maker, Ai.Type, thanks to a misconfigured database, and the unauthorised sale of more than 500,000 customer records by staff at T-Mobile. A culture of data protection and the integration of data protection by design into business processes could have prevented both of these breaches.
It is clear that if staff don’t know what they are doing, they won’t be able to protect personal data effectively. It is also clear that, especially in smaller organisations, staff with busy workloads are unlikely to figure out data protection for themselves. That is why is essential is that all workers who handle personal data have the opportunity to learn fundamental skills for data protection in a structured way.
How to develop the skills for data protection has been largely overlooked in the debate around data protection. Big scandals like Cambridge Analytica, and discussion around enforcement of data protection have dominated. But nobody knows how to do things without learning first. It is the same in every area. GDPR offers a chance to make data protection simpler. Instead of 28 different data protection regimes, we essentially have just one. However, even though the rules on how to safely work with personal data are more consolidated, it is key that people know what they are doing.
Our position paper, ‘Skills for Data Protection: preparing workers to protect personal data’ is available to download from our website. It examines these questions in more detail.
The ECDL Data Protection module is also available, covering essential skills for data protection. More information can be found here.