Security Awareness Training in the Context of GDPR
General Data Protection Regulation requires businesses and organizations to secure the personal data of EU citizens for any transactions taking place in the EU member countries. The Article 39 of GDPR specifically lists the tasks of the Data Protection Officer. Section 1B of Article 39 puts the responsibility on the Data Protection Officer DPO to create awareness and provide training to the staff that is involved in processing operations. According to the clause, the Data Protection Officer shall have to “monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;”
Though the GDPR does not specify the content of the privacy awareness training, based upon its other requirements, the training entails the understanding of risks associated with Personally Identifiable Information processed, stored or transmitted businesses. This training needs to be carried out at least annually, and like any other information security training, should account to understanding of the employees regarding their roles to protect any information they are entrusted with.
Mindsett Security Your Human Factor Security Partner ...
With implementation support, custom software applications, and several different types of exercises, we support our customers in creating a culture of security company-wide.
The GDPR Security Awareness Training is important because of the need to create and improve employee attentiveness towards the risks associated with loss of sensitive data, and how to go about things to mitigate the security risks.
The UK Information Commissioner (ICO) also recommends the compliance with the regulation as a best practice. Employees still pose the greatest risk to the information assets of an organization, whether by malicious intent or ignorance. A training that focuses on the most applicable safety measures such as keeping strong passwords, being cautious of unknown attachments and knowing how and when to report incidents, ensures much lesser chances of security breach incidents.
The GDPR regulations will officially go into effect in May 2018. This gives organizations enough time to prepare for the changes and train employees to support EU GDPR requirements and avoid heavy fines that may result in case they fail to comply.
As general rules for the security awareness training program applicable not only in the context of gdpr:
- Get internal support for the security awareness training program from responsible colleagues across all departments.
- Increase tracking and look for metrics, assess the existing level of user awareness with a simulated attack methodology.
- Plan future security awareness training capaigns considering past resuls, user engagment and retention level.
- Use multile dissemination channels and more than one annual security awareness training initiative.
What topics should be covered in a staff security awareness training under the GDPR?
Personally Identifiable Information - EU GDPR defines Personally Identifiable Information as “any information relating to an identified or identifiable natural person (or ‘data subject’)”. It defines seven principles that are based on the protection of PII while it is processed. Because of its emphasis on the information protection rights of individuals, it is vital for businesses to understand the proper handling and processing of the data according the GDPR guidelines.
Breach Notification and Infringement Reporting - Under Article 33 of GDPR, any personal data breach has to be reported by data controllers to the Supervisory Authority (SA) immediately, in a time span of 72 hours at the most, unless it is not likely to the rights of data subjects at risk. If, for some reason, the data controller is unable to report within 72 hours, an explanation of the reasons of the delay has to be given. Breach notification must include the description of the incident (number of personal data records affected, categories), details of the concerned Data Protection Officer, consequences of Data Breach, and immediate actions taken to mitigate the effects. Similarly, any infringement cases of noncompliance should be reported to the supervisory authority for further investigation.
Data Protection - Data controllers need to ensure that personal data used is only the one that is required for a specific purpose. According to GDPR, the data should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. In other words, the data used for processing should serve the purpose and should not exceed more than is needed. Also, the personal data should be accurate and updated regularly. Any form of inaccurate data should be deleted or corrected as needed. When data is no longer needed for the purpose for which it was gathered, it should be immediately deleted, unless you have other justifiable reasons not to do so.
Compliance: Proving Due Diligence in Handling Data - GDPR gives supervisory authorities the power to investigate and oversee the handling of personal data. In case an organization fails to comply, supervisory authorities have a number of options to choose from. Either they can issue a warning to controllers and processors, advise the organization to process data in a certain manner, cease their processing, or even compel an organization to report the data breach to the affected subjects.
Data Protection - Data controllers need to ensure that personal data used is only the one that is required for a specific purpose. According to GDPR, the data should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. In other words, the data used for processing should serve the purpose and should not exceed more than is needed. Also, the personal data should be accurate and updated regularly. Any form of inaccurate data should be deleted or corrected as needed. When data is no longer needed for the purpose for which it was gathered, it should be immediately deleted, unless you have other justifiable reasons not to do so.
What topics should be covered in a management privacy/security awareness training under the GDPR?
Gaining Prior Approval for Information Sharing -
It is the management’s responsibility to aware the people about what kind of data is being gathered, and where and how it is shared. People should also be given the option to permit or disallow the sharing of certain information without prior consent.
Ensuring Data Consistency and Accuracy - The management is only allowed to use personal data for the purpose for which it was collected and not use it for any new incompatible purpose. It has to ensure the accuracy and consistency of data throughout the time it is being stored, processed or retrieved. Each organization has to consider very carefully how much it can amend the current data gathering practices so as to comply with the restrictions.
Maintaining Data Protection when Sharing with Third Parties - Data transfer contracts with third parties must ensure the provision of adequate data protection and the received data should only be processed for specified and limited purposes.
Following Strict Security Procedures of Data Safety - The management is responsible to process personal data in a manner that ensures the protection against unlawful or unauthorized processing and accidental loss, damage or destruction. Appropriate organizational and technical security measures must be taken.
Providing Data Access to Data Subjects - Data subjects must be given access to their personal data held by the organizations and also given the provision to amend, correct or delete the data wherever they deem it inaccurate, or wherever they find it being processed in violation of security principles.
Providing Recourse for Affected Individuals and Accepting Liability for Non-Compliance - Individuals should be given access to recourse mechanisms with which all of their complaints must be investigated and resolved without incurring any costs upon the individuals.
Besides the points mentioned above, for GDPR, the content should include the following topics:
- Personal Identifiable Information.
- Data Retention and Ownership.
- Legal Aspects on Confidentiality and Secrecy.
- Data Labeling.
- Sharing and Disclosing Information.
- Providing Data Access.
- Reporting of Security Incidents.
- Particularities and Internal Procedures.
- Non-Compliance Aspects.
User security awareness training program should be a continuous process even there are no compliance requirements.