The General Data Protection Regulation came into force (you may have heard about it!) on Friday 25 May 2018. It took less than a week for news to emerge of a significant data breach.
It appears that customers of TSB have been accidentally sent letters addressed to other customers, revealing the names and addresses of those other customers. Ironically, the letters appear to be apologising for the Bank’s delay in dealing with the customers’ complaints. One customer is said to have reported receiving letters to six other customers in the same envelope as a correctly addressed letter.
TSB has, of course, been suffering serious IT issues – but the stuffing of envelopes might well be a manual task and that reminds us of the weakest link in our systems in the context of complying with data security.
What is that weakest link? No, it’s not the external hacker. Nor the failure of technical security measures such as the firewall. It’s human error. The users. They are the ones who, for example:
- leave their laptops on the train; or
- send an email addressed to a number of recipients with their addresses in the “to” or the “cc” section rather than “bcc”; or
- download random attachments or plug memory sticks into the network without checking them first.
The GDPR requires organisations to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. The ICO guidance under the heading “What about our staff?” advises us to ensure that our staff understand the importance of protecting personal data and are familiar with our security policies and procedures – and recommends that we provide appropriate training.
This a reminder to make sure that among all of the great work that has been done from a technical and a documentary point of view to ensure compliance with the GDPR, we have not overlooked the work needed in relation to that weakest link.