Who takes responsibility for data protection in your organisation?
Most organisations who fail badly when it comes to data protection fail because of a classic error. Data protection is “somebody else’s problem”. The legal team look after that or it IT’s responsibility to keep our data secure. HR look after that. It’s in the employee handbook somewhere. To paraphrase Douglas Adams because it can’t exist, ignoring it comes naturally. For anyone who is not a Douglas Adams fan (You should be!!), here’s a quick explanation of Somebody Else’s Problem(S.E.P). The Somebody Else’s Problem field “can run almost indefinitely on a torch (flashlight)/9-volt battery, and is able to do so because it utilises a person’s natural tendency to ignore things they don’t easily accept, like, for example, aliens at a cricket match.” Data protection gets ignored in an organisation because of a lack of understanding of how simple it is, rather than the fact that it’s too outlandish to accept. The effect is the same. Nothing needs to be done as long as everyone sees it as Somebody Else’s Problem. Every study on data breaches that I have seen shows that most breaches are the result of simple avoidable human error. If you want to avoid the stress, costs and damage caused by a breach then it’s time to stop thinking that somebody else in the company will shoulder the responsibility. You need to ensure everyone understands their role in making your customer data secure.
Your legal team cannot carry the data protection can all by themselves
Your legal team carries quite a lot of responsibility when it comes to data protection. They will make sure you have a legally sound basis to collect the information you collect. They will ensure that your contracts are sound. They will make sure you explain your data processing to your customers. You will meet the requirements for disclosure on your websites, in communications and on company property. But your legal team won’t be answering the phones and dealing with customers. They won’t be assessing your new CRM system and implementing your new customer service back office functions. They won’t be designing your new multi-channel marketing campaign. The biggest category of complaints dealt with by the Irish Data protection commissioner in 2015 was the misuse of marketing emails. Something really easy to avoid with a few simple details when handling marketing lists and creating content. Not something that can be avoided by anything your legal team can get into your contracts.
IT is responsible for data security; Data security is not data protection
Don’t get me wrong, data security is incredibly important. One of the principles of data protection is that you must keep the data you collect safe and secure. Your IT team will need to implement appropriate security measures depending on the volume and sensitivity of the data you store. Your IT team will need to assess potential threats and determine the appropriate security measures against these threats. They will investigate the available solutions and balance the costs and the risks and they will monitor your systems for suspicious activity. They won’t determine what data your business collects or by whom the information is collected. They cannot be responsible for every customer interaction or email that is sent out from your company.
So if it’s not Legal and it’s not IT, who takes responsibility for data protection in your organisation?
The short answer is – everyone. (Who had not cottoned onto that by now?). A slightly longer answer is – everyone who handles personal customer data or personal employee data. Which in most organisations boils down to the same answer – everyone. Okay, so obviously that’s where I have been going all along. A serious data breach can originate from anywhere in your organisation. No matter how much work your legal team do on your policies or what form of encryption your IT team have put in place you could still be affected. In fact, phishing is the most common cause of data breaches globally. All it takes someone clicking on a bad link or opening a dodgy attachment in an email message.
The solution is to ensure that everyone in your organisation takes responsibility for data protection
You should communicate your policies to all your employees. Evaluate the data you collect and ensure your staff know how to handle it properly. Ensure everyone understands the potential risks to your business when the policies are not followed. Make sure that everyone is security conscious and data-aware. Make all your employees responsible for data protection and all your employees will be helping to keep your business and your customer data safe.