What does it take to avoid costly data breach mistakes?
By Rohan Massey
Editor’s Note: In light of recent headline-making fines from the UK Information Commissioner's Office (ICO), experts are looking at what needs to be done to keep organisations and businesses from making expensive data privacy mistakes. In Q and A format, Rohan Massey of McDermott Will & Emery UK LLP shares insights into the importance of training and compliance.
Why are organisations reticent to train?
Some organisations are reticent to train on data protection issues on the grounds of costs and business interruption, but for many organisations, the failure is not reticence but simply a lack of adherence to an established policy or procedure due to time constraints or commercial performance pressures. Where organisations are reticent to train, an explanation of the growing financial risks of noncompliance often makes the internal sell to management far easier, as does education that the training, once implemented, is not time-intensive, taking an hour or two a year for the relevant employee, and does not need to be a material ongoing cost.
What advice would you suggest for organisations to consider related to providing/requiring compliance training and ensuring compliance is in place?
With regard to compliance training, it is critical that the business undertakes a 360-degree review of their data lifecycle to establish the types of data, different processing, storage, sharing and destruction of data that takes place and that the business identifies the employee roles that take responsibility for each stage of the process. Each employee needs to be trained to the level required for them to perform their tasks with full awareness of the legal obligations and commercial risks of noncompliance. It is also important to establish policies and procedures detailing who is responsible for ensuring training is undertaken and what actions can or cannot be taken within the business until all relevant employee training has been signed completed. A record of all such training should also be kept for evidential purposes.
What are the baseline actions every organisation should take to avoid penalties like the ICO’s recent £90,000 fine?
Businesses need to be aware of their obligations under the data protection act and be sure that they are putting in place sufficient internal processes and training to ensure that procedures are in place and that there is ongoing updating and monitoring of them. It is important that that all personnel receive adequate training and receive refresher courses throughout the course of their employment.
Other thoughts and recommendations
The ICO has made clear that merely having a data-handling policy in place or a procedures manual is not sufficient to protect an entity handling sensitive data. The critical issue for any organisation is to ensure that all its employees are educated and aware of their legal obligations when processing personal data and that the employees understand why these obligations are placed on them. The importance of having ongoing monitoring and training, although expensive in the short term, could, in light of the ever-increasing levels of fines being issued, prove to be a shrewd investment in the long term
Rohan Massey is a partner in the law firm of McDermott Will & Emery UK LLP, based in its London office. Massey leads the London non-contentious transactional IP practice and is the co-head of the firm’s privacy and data protection practice. He is also a member of the electronically stored information practice. Massey has undertaken a number of complex privacy compliance programmes for multinational companies involving auditing the data collection and dataflow processes of each business, assessing security, drafting privacy policies to ensure ongoing compliance, making regulatory filings and constructing and implementing privacy training programmes to ensure ongoing compliance. Massey’s client base is international in scope, as he works extensively across Europe and has been based in the Firm's LA office.