The UK ICO’s detailed report on the 2,629 personal data breaches reported to it in Q1 2020 shows a startling fact:
Helpfully, the UK ICO releases reports on personal data breaches reported each quarter. The report for Q1 2020 (what the ICO calls Q4 2019-20) has some interesting revelations.
All cyber security incidents (CSIs) together amounted to 24.8%, a quarter of all reported breaches. Which means 75% were not CSIs, which can surprise some, as it can feel at times as if all data is in digital format, so all breaches must be about cyber security.
Sending emails, faxes and mail to the wrong recipient, or not using bcc, led to 26.6% of all breaches, more than all CSIs together. More than a quarter of all breaches, and a third of non-CSI breaches, are just down to simple human error.
First, it proves the saying: people, process and technology. For us, that leads us to 4 truisms, for both Privacy and Security:
Technology is 33% of the answer overall, but it might be 0% or 100% depending on the context. From solutions, like Keepabl, targeted at governance and management, to solutions such as a firewall or 2FA. Each is as valid as the other and the Privacy Stack you use will include many various tools.
Each one of us has our own role to play in Privacy and Security compliance, much as Health & Safety law includes that, while employers need to do their part, each employee has their own responsibility for their own health and safety and that of others. We need to get better at getting that across.
Everyone hates policies and procedures! But that’s the old-school policy and procedure. We need a new style of plain-language, more visual, more approachable information setting out the required behaviour. There’s much to be learnt, and borrowed, from today’s consumerisation of technology, for the consumerisation of this information, not least in terms of design and user interfacing.
This is not easy! GDPR says you need to provide a ton of information that’s highly technical and complex – but do keep it light and breezy and short…
It’s easy to target tech on external threats and to draft policies by copy-pasting laws and standards, bringing across jargon. This misses the large target we’ve identified above – plain old human error, that just refuses to go away.
We clearly need to do more to block off as much of the opportunity for human error as appropriate to the risk levels – it is about risk management after all!
The Schrems II decision came out nearly 2 years ago, on 16 July 2020. Given the enormous data flows from the EEA and UK to the USA, and many unanswered…