This article is an opinion article, which reflects our collective experience.
In the face of human error, why is it portrayed as a blame game?
Whilst public organisations are front-page headlines in the media over data breaches, many questions are asked by the press over “who is to blame”!
Data protection awareness has undoubtedly improved in the five years since the EU GDPR came into force. However, human error will always be a factor.
During the pandemic working from home, in our experience, appeared to give the green light to reduced security, with organisations running highly confidential work processes from personal IT equipment, circumventing previously honed policies and procedures in the name of necessity.
Since then, most have returned to the office, the workforce has thinned, financial belts have been tightened, and duties have been delegated to increase the workload on those still present.
The media is awash with “who is to blame” and what the ICO will do about it. We are listening to politicians discussing previous cases where disciplinary procedures have been launched against staff members, yet the organisations have been cleared of wrongdoing.
Human error has been and always will be a factor. Business continuity plans were adapted to cope with a pandemic. Still, most have neither readdressed the holes in their planning and security nor tested their risk, compliance or governance, yet they still want to blame humans for the errors.
Some say that the Supervisory Authority (ICO) has not been tough enough on public organisations.
Data protection laws were created and have evolved to some extent to aid and advise on handling information. From experience, many organisations treat them as a tick-box exercise; others ignore or brush them aside when the going gets tough.
Too many times, we have seen the responsible data controller respond to a SAR or FOI request and cause a breach.
So what are the answers?
First, stop the blame culture. Humans, especially when under pressure, will miss things and cause errors. You also cannot rely on an Ai to do the task, as the rights of our laws limit automated processing.
It does not excuse the organisation for failing to comply with the UK or EU GDPR of having appropriate security measures in place. In part, it is about the ‘process’!
Having the right processes in place to deal with FOI and SAR requests effectively and within compliance with the law is essential.
Having the right staff in place to run the processes adequately is the organisation’s responsibility
Providing the proper training to your staff dealing with these requests is a must.
Ensuring your organisation tests the measures and processes you have in place to ensure they are robust is often a missed opportunity.
Think outside your normal! If you cannot think outside your normal, be honest and get someone else to help you!
In security terms challenging your everyday processes and procedures by testing what you consider to be expected is part of the risk process.
If you have considered all these points and have them in place, but then your organisation’s people or situation changes and you do not retest or consider re-examining your processes, a breach occurrence cannot be considered an oversight of adequate security. As the old saying goes, ‘ignorance is no defence in a court of law’.
The responsibility of upkeeping data protection and information governance rights and laws sits at the top of all organisations.
It will also be interesting to see how the Information Commissioners’ Office reacts to these recent cases.