There is no purely technical solution for safeguarding against the never-ending stream of new data risks. According to psychologists, IT users are increasingly relying on technical safeguards and are becoming careless as a result. Businesses should therefore ensure greater data protection awareness in the workplace.
Raising awareness of data protection
According to the General Data Protection Regulation (GDPR), data protection officers have the following primary tasks:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to the the GDPR and to other Union or Member State data protection provisions;
- to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.
The plans and strategies for awareness-raising and training of staff show that training courses and seminars are full of information about legal requirements and standards.
They include instructions for increasing data security, information about current security vulnerabilities and weaknesses, and recommendations for proper handling of personal data.
It is good to impart such knowledge about data protection, but knowledge alone is not enough.
Well informed, but well implemented?
The Electronic Commerce Forum’s (ECO) 2018 IT security survey revealed the following: Respondents said that emergency planning for prevention of cyber attacks as well as employee awareness and data protection were the most important security topics:
- 63 percent of respondents said that they train and sensitise their own employees to these issues. Most respondents regularly train employees.
- However, only 32 percent have established internal processes or an emergency plan in order to be able to respond appropriately in the event of an incident.
- 49 percent of respondents have no emergency plan for such situations.
Another example of lack of implementation in practice:
- Password security training has long been standard practice in most organisations. Many people still rely on simple combinations such as „Hello“ or „123456“ for their passwords.
- One in three Internet users (32 percent) in Germany say that they use the same password for multiple online services, according to the results of a representative survey conducted by Bitkom, the Federal Association for Information Technology.
Knowledge and practice are often worlds apart
Knowledge about data protection will remain dry theory without behavioural changes on the part of individual users. For example, a person might know all there is to know about fishing, but cannot catch a fish.
Putting theory into practice is still quite easy in the case of fishing, provided you have the right equipment. But when it comes to data protection, how can theory be genuinely rooted in reality so that it that will lead to a change in behaviour?
Data protection training without a real risk
No one should be tempted into fishing for data. In other words, you shouldn’t try to become a data fisherman yourself to find out how easy it is to steal data.
Instead, the goal is for users in the company to experience data risks in an up-close, realistic way. However, real data should not be used, and there must be no real danger to users or the network.
Making abstract risks experiential
Risks that your colleagues cannot really imagine will usually be underestimated. Data protection officers should find a safe way of making data risks more experiential without taking real risks.
The competent supervisory authorities are offering their support in this area with new data protection awareness initiatives.
One example: Interesting student projects were inspired by contact between Baden-Württemberg Cooperative State University (DHBW) and Dr. Stefan Brink, Data Protection and Freedom of Information Officer for the German federal state of Baden-Württemberg.
Students developed five demonstration systems to make the dangers involved in the processing of personal data more visible and experiential.
The students focused on the following topics:
- Secret data analyses on smartphones to track users at all times and study their behaviour
- A clear visualisation of network transmissions of the operating system and applications for end users
- Video surveillance in public spaces and its potential hazards
New methods are needed to make data risks and data protection more experiential. The ‚Datenschutz PRAXIS‘ website reports on pertinent examples and initiatives that can provide ideas and inspiration and enable direct experience and participation.
Oliver Schonschek is a physicist, analyst, and technical IT journalist for IT security and data protection.