The irony. Of all the government departments that could have announced a personal data breach last week, it was the Department of Culture, Media and Sports – who are responsible for UK data protection legislation (and the regulator) – that were responsible for a personal data breach. The government department clearly did not have the appropriate technical and organisational measures in place to ensure a high level of protection for the rights, freedoms and interests of 300 individuals. Someone at the DCMS inadvertently copied in everyone's personal email address for everyone else to see.
The stress that mistakes like this cause people is just not appreciated. What's more: it's the second time this month a government department has made such a mistake!
The answer? Quite simply, we need organisations to take our privacy seriously. Human error causes the problem more often than not. So, change the behaviours of your employees. Don't just put them through some tick-box training exercise.
Oz Alashe, CEO of the GCHQ-approved organisation CybSafe , says:
"Data protection training is not about explaining to people about data protection policies and processes - it's about implementing them and checking that people are doing the right thing."
Sure, there are some great technologies out there that can prompt the average user, "Are you sure that you want all 300 people on this email to be in the To: line, or would it be better to instead use Bcc:?"
These are good examples of technical and organisational measures. Oz is talking about represents organisational measures and these are realised through technical measures. In both cases, it's about demonstrating that the concept of data protection by design is a significant factor in your data protection strategy.
priviness sees this all the time. Every personal data breach that occurs, the ICO expect the reporting organisation to explain what extra technical and organisational measures are now being taken. A good answer is, "We're sorry - we've reviewed the situation - we've now enhanced our training."
For more information about how priviness can help your organisation improve their technical and organisational measures, please get in touch. You can call us on 0203 2878 243 or email email@example.com
The priviness blog is a forum for the discussion and dissemination of ideas relating to privacy. The posts are written by a number of different authors and do not necessarily represent the views of priviness.