The compliance regulation du jour is the EU’s General Data Protection Regulation (GDPR). But many companies aren’t ready for the May 25th deadline and many don’t even know they need to pay attention. Of course, knowing whether your organization is subject to GDPR is only the beginning. You have to take steps to ensure you comply.
As more and more compliance regulations come into effect, it’s creating a lot of work for businesses as they shift, evolve or completely overhaul business processes and deploy tools to meet the requirements. The effort is worth it, though: This is an opportunity to show your customers how committed you are to building a solid relationship of trust – starting with protecting their data. And you can avoid massive fines at the same time.
Of course, no tool or process will ever be effective if people aren’t on board. A security education program can help you build that solid foundation with people to encourage shared ownership of data security across your organization. That classic annual security training video everyone watches for half an hour (to pass a quiz that proves they recalled the information for five minutes) is no longer enough.
Every employee in the world signs an employment agreement that obligates them to follow corporate information handling policies. Even an accidental leak/disclosure can result in termination of employment but what tools do we give them to be compliant?
Today, the consequences are far-reaching, and people have long memories (and search engines). The fines levied and goodwill lost can lead to the failure of the business and countless lost jobs. That’s why it’s imperative to help employees be part of the solution.
So, how do you get people to use effective, secure data handling practices? Here are three ways you can focus your efforts to build a program that will win them over.
1) Build awareness of the data and data protection policies of the organization
This doesn’t mean you need to give everyone an in-depth overview of GDPR or any other compliance legislation. Instead, they need to know the kinds of data that need to be protected across the organization – even when it’s not part of their job.
As they learn about the types of data, they need to know what level of sensitivity should be applied and why. When people understand the policies and reasoning, it’s easier to make decisions about what to do with the data their handling.
The education shouldn’t end as people leave the training, though. You’ll want to keep promoting awareness in various ways:
- Posters with reminders throughout your facilities
- Ongoing training sessions to keep people sharp
- Sharing stories about how people are mindful of security
Without a foundation of awareness, people won’t be able to take the next step of being mindful of information sensitivity as they go about their day-to-day work.
2) Encourage mindfulness about data security
When awareness resonates in a lasting way, it can lead to a more intentional focus on protecting the data they’re handling. With GDPR looming, that’s an important goal! Your organization will benefit from people who go through their workday mindful of data that’s being passed around. They become your first line of defense against data breaches.
Your awareness efforts can help bolster mindfulness by providing reminders to consider the sensitivity of data.
Having mindful people makes the use of technology for data protection more effective. Introducing tools that apply markings and trigger data protection policies can serve as one more way to build mindfulness right into the workflow. When every document has the sensitivity level clearly marked, it’s easier for employees to see at a glance how the material should be handled.
The technology takes this a step further by preventing inadvertent data breaches, disclosures or losses by blocking the most sensitive documents from being sent to unauthorized recipients.
How many times have you been rushing to the next meeting or trying to leave at the end of the day? You fire off an email and realize it went to the wrong person or group right after you hit send. There’s no calling it back, so having a tool that prevents those errors is invaluable.
3) Empower people to take appropriate action and be accountable
Knowledge is power. Putting knowledge into action reinforces what they’ve learned. When there’s only a handful of people in your entire organization who have the responsibility to train, monitor, audit, and maintain all data security efforts, they’ll be more successful if they can build an army of champions for good data security practices.
When awareness and mindfulness lead to reputation-saving preventative action, reward those instances and share the stories to continue the cycle.
Education is key to building a culture of security
The result of all this work is a culture of security where security mindfulness is the status quo of your organization. And when you have the whole company working together to protect sensitive data across your organization, it doesn’t matter what the next data protection regulation is – your entire organization will be ready, willing and able to meet it head on together.
Written by: Doug Snow
Doug Snow is vice president, Customer Success at TITUS, where his 30 years of IT industry experience and project management expertise make him ideal to lead the team that ensures our customers’ needs are taken care of every step of the way.