Data Protection Requires an Empathetic ApproachApril 2019
When it comes to data protection and cybersecurity, companies are relying on ever-more sophisticated and complex mechanisms to combat data breaches. Indeed, there are many good reasons for buying the latest and greatest data protection systems. This article looks at why it is important not to forget the human element.
GDPR grants a right to compensation to data subjects if their data has been mishandled, so it is natural for companies to seek the maximum level of protection available to avoid fines. Similarly, many if not most companies operate in a data-heavy environment, meaning that such fines could be very significant from both a financial and reputational perspective. Moreover, companies may be exposed to data breaches but do not have an internal capacity to understand and mitigate the problem. As a result, companies turn to the most expensive and up-to-date cybersecurity systems in order to compensate for any internal failings within the data protection structure.
However, there is a growing concern in the cybersecurity industry that the data protection solutions on offer to end-users are misdirected. The former chief security officer for Facebook, Alex Stamos, courted controversy in 2017 by stating that “we have a real inability to put ourselves in the shoes of the people we are trying to protect,” and that security professionals need to "have empathy for the people that use the technologies we build.” Isaac Kohen, CTO for Teramind, emphasises that data protection is a user-centric industry and therefore, unsurprisingly, requires a user-centric approach to creating technologies.
Security professionals will generally acknowledge that “users are the weakest link” in the chain of data protection, but why is this? Arguably, it is because users often have to work with systems which they do not fully understand or which are not designed specifically for the problems that they face regularly. The people who are dealing with data protection threats on a daily basis are the employees of a company. Frontline employees are bombarded with phishing attacks and software updates, which are becoming more difficult to recognise as time goes on. It is therefore critical that any technological solution to cybersecurity is easily understood and managed by these employees in the trenches.
Stamos’ point is that security professionals must take an empathetic approach to these employees to understand the challenges which they face in order to design technological solutions which meet the daily needs of these employees. There are clear merits to taking an empathetic approach to data protection solutions. As service providers, it is essential that customers feel that their needs are being looked after and that they are getting value for the often-times expensive technical and structural solutions for which they are paying. This equally applies to companies like RegSol as it does technology companies. The increasing outsourcing of data protection management and the advent of professional Data Protection Officers could potentially lead to the same lack of empathy among professionals in the data protection industry. Professional DPOs will have their time and resources stretched as they take on more work and this will inevitably lead to boiler-plate solutions being offered to their customers.
From our perspective, open communication is vital to understanding the individual concerns and needs of each customer in order to pinpoint the specific action plans which are required to prevent data breaches. Often, customers will employ a data protection consultant because they know very little about their GDPR commitments and preventing data breaches. As a result, it is possible for customers to blindly follow the advice given to them by consultants. However, at RegSol we realise that our clients know far more about their own business than anyone else. As such, we always engage in a collaborative effort in order to appreciate the problems that our clients face and create the best possible data protection system.
This collaborative process is very important in the context of training employees. Different companies will process different types and volumes of data and there can be no “one size fits all” approach for every company. Similarly, the training that management-level employees require will be different to the training that junior employees require because of the natural differences in those positions.
While it may not be immediately obvious to associate empathy with data protection, it is becoming increasingly clear that the only way to provide effective consulting and training services to clients is to adopt an empathetic approach to each businesses’ unique needs. Rather than just simply provide a straightforward policy document and an annual Powerpoint presentation to employees, effective data protection solutions include short, concise messages, interactive challenges and real-time coaching in the event of a mistake.
No data protection solution will ever guarantee that data breaches will not occur, just as no physical security system will guarantee that a premises will not be burgled. However, by undertaking an empathetic approach to employee engagement with data protection, companies can ensure that their employees are well-placed to detect and prevent data breaches. As importantly, we strive to ensure that the biggest risk still facing many firms, 'Human Error', is reduced.
K. Flood for RegSol Ireland