In this podcast, we look at staff awareness of compliance. We talk about what staff need to know and how to ensure your people are as well-informed as they need to be about laws and regulations that affect the way your organisation handles data.
We talk with Mathieu Gorge, CEO of Vigitrust, who will discuss the key regulations that affect organisations in the UK and Europe, and their implications. We also talk about the ways organisations can make sure their staff are well-trained to deal with data compliance.
Antony Adshead: Why is staff awareness of compliance an important issue?
Mathieu Gorge: Well, it’s a very timely question because the month of January is marked with Data Protection Day on the 28th. It’s an international initiative that started a few years ago and is primarily observed in the US, Canada, Israel and European countries but, generally speaking, is becoming a global event.
What we’re looking at is the fact that staff need to be aware of the importance of data and the value of data.
It’s actually covered in the UK under the Data Protection Act, but also in Europe with the GDPR (General Data Protection Regulation), which states that you need to take appropriate security controls and measures to protect data and the potential impact it could have on the person if that data was hacked or stolen or modified. And within those measures you find technical measures, policies and procedures, but staff awareness is clearly one of the requirements.
If you move onto standards like PCI-DSS – the payment card industry data security standard – you find mandatory requirements for staff awareness around data in requirement 12.6, which states that anybody dealing with credit card data needs to be trained upon being hired and once annually after that.
You will also find requirements for specific training around application security and the data in the application and the incident response plan. You will find that in federal regulation and state regulation, but also in international data transfer frameworks and standards, so staff awareness with regard to compliance and data protection and data privacy is at the forefront of every security strategy worldwide.
Adshead: How can we implement frameworks to ensure staff awareness of compliance, especially with relation to storage and backup?
Gorge: Security strategies with regard to staff awareness typically cover making sure that staff are aware of policies and procedures, making sure they understand the dos and don’ts in the policies with regard to what they can do with data.
And if we go back to that idea of the value of the data, you want to make sure that every staff member at any level within the organisation, from bottom to top, understands the implications of not protecting the data, not just for the company, but also for themselves.
For example, there may be disciplinary procedures associated with not taking good care of data. There might be implications for the business, for the overall business continuity of the organisation if something goes wrong.
Read more on compliance
- A cloud compliance checklist for the GDPR age. When it comes to compliance, the cloud can get complex. Here is a look at the essential elements of a cloud compliance strategy.
- Compliance considerations for SMEs. We look at the key data compliance regulations that affect SMEs – such as GDPR, the Data Protection Act, PCI-DSS and PECR – and some key industry-specific frameworks.
So, organisations typically have ongoing training around data security and compliance, to explain to staff what data is made of, whether it is structured data, unstructured data, what type of data is public, confidential, highly confidential, or whatever category you want to use.
Or where the data might reside within the organisation, where it is protected, whether it is encrypted, whether you use tokenisation, whether you need to take specific care based on the various classification levels of the data. And mostly, how to report a data breach or suspicious activity.
So, in practice that means organisations put together a framework, a security awareness programme that can include face-to-face training, e-learning, war games, awareness days, not just in January but potentially throughout the year, with another global event around October’s European Cyber Security Month.
So I think organisations are recognising the requirement to raise awareness within all levels of the organisation so that we understand the value of the data, where it can be stored, what kind of data can be stored, and the dos and don’ts in practical business terms.