“When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else.”
― David Brin
It seems hardly a week goes by without some news of a data breach or cyberattack, but the latest media firestorm involving Facebook has caught the world’s attention and called into doubt companies’ accountability when it comes to data protection.
Indeed, the revelation that personal data belonging to about 50 million Facebook users was accessed and misused by the political data analysis firm Cambridge Analytica has thrown into sharp relief the need for companies to strengthen their data security measures. Not only can data breaches be costly in terms of fines and legal fees, but they also can also cause long-term reputational damage – customers, suppliers, and investors all may lose trust in an organization that fails to secure private or confidential data.
So how can you strengthen security measures to prevent a serious breach? One key consideration is employee data protection awareness, which can be greatly enhanced by effective data privacy training.
The following are seven components for a data privacy e-learning program that can help safeguard users’ personal data – as well as your company’s reputation and bottom line.
1. PII and Personal Data
Do employees in your company know the difference between Personally Identifiable Information (PII) and personal data? Do they know what constitutes PII in the jurisdiction(s) your organization operates in? While some examples of PII, such as name, telephone number, or ID number, can identify you directly, there’s much more to it than that. For example, data such as your age may not identify you on their own, but, if combined with other contextual data, can be used to ascertain your identity – a method that can be exploited by cyber-criminals.
It’s also important to know that, in Europe, while the term “personal data” is almost synonymous with the US concept of PII, there are some significant differences: non-PII data such as cookies and IP addresses may also be considered personal data.
An effective data privacy e-learning program must show how PII can be combined to identify an individual, and outline what qualifies as PII, personal data, or both, depending on the region an organization operates in.
2. Data Handling Outside the Office
Business trips are often a necessity, and while they may be seen as a pleasant break from the office for many, the security of information kept on mobile devices is sometimes overlooked. Some of the most common threats while on a business trip include loss or theft of mobile IT devices, unsecured public wi-fi spots, as well as shoulder surfing in public spaces – all issues that need to be addressed in a data privacy course. And with more and more people working remotely, the question of how to protect user data outside the office is an increasingly relevant one.
3. The Data Life Cycle
Are your employees aware of the various stages of the data life cycle? And do they know what internal policies or regulations apply at each of these stages? While organizations differ in terms of how they treat customer or user data, there are typically seven stages that this data goes through: creation, processing, storage, use, sharing, archival, and destruction. In order to avoid fines and legal fees due to the mishandling of data, employees should know how to collect information appropriately, classify and update it accurately, share it responsibly, and ultimately delete it when it is no longer of use.
4. Payment Card Data Security
In 2017, an estimated 1.66 billion people purchased goods or services online, many of whom used credit and debit cards to carry out these transactions . We simply take it for granted that our payment card details will be stored safely online – unfortunately this is not always the case. In 2013, approximately 40 million credit card records were stolen in a major data breach at retail giant Target. In addition to over $153 million it paid to settle state government lawsuits, it also paid $292 million in other breach-related costs .
To avoid such huge fines and costs, it’s crucial that employees entrusted with credit and debit card details are aware of the Payment Card Industry Data Security Standard (PCI DSS). This will help ensure that cardholder data is stored, processed, and transmitted securely. It’s also important they learn how to deal with the aftermath of a cyberattack so as to minimize the scale of the damage.
If you or your organization provide healthcare services, under the Health Insurance Portability and Accountability Act (HIPAA), any personal health information (PHI) you collect must be protected. According to HIPAA, there are 18 identifiers that healthcare professionals and entities such as insurance agencies are obliged to use, store, disclose or remove securely and in accordance with HIPAA rules. Failure to follow these rules can be extremely costly. As recently as February 2018, Fresenius Medical Care North America (FMCNA) was fined $3.5 million for five breaches of regulations involving electronic PHI. So don’t assume employees know how to handle PHI – make sure to educate your workforce on the rules governing its use.
6. The GDPR
On May 25th, 2018, the EU is introducing the General Data Protection Regulation (GDPR) to strengthen data protection for all EU citizens. Some of the rights set out in this regulation include the right to correct inaccuracies, delete information, and restrict processing. But if you’re thinking “I don’t have a physical presence in the EU – I’ve got not nothing to worry about” think again! If your organization has a web presence and directly markets its products or services to customers in the EU, it will have to obtain explicit consent to collect their data and must treat any data collected in accordance with the GDPR. Developing GDPR compliance training is vital in guaranteeing that your company adheres to this new regulation.
7. International Data Transfers
Closely related to the GDPR is how organizations can move PII (or personal data) internationally – a process that can be fraught with legal complications. For transfers of data from EU to the US, the Privacy Shield outlines several principles in relation to the collection, use and monitoring of data, as well as breach detection and reporting. To show that they can provide an adequate level of data protection, US companies must obtain Privacy Shield certification. And central to obtaining this certification is preparation and – you’ve guessed it – relevant training.
Clearly, a company’s approach to data privacy is an important issue and may have disastrous consequences if not managed properly. An effective data privacy e-learning program can, however, go a long way in addressing the concerns raised above. The scope of data privacy training can be very wide and depending on the size and nature of your business, you may need to consider all – or only a few – of the components outlined here. But regardless of which components you include, it’s vital that you make data privacy training engaging by communicating the aims of the course early on and by making it relevant, fun, and intuitive.
For more information contact [email protected]
By Neil Cullen (Director of Compliance Learning, Interactive Services) & Aidan Hogan (Interactive Services)