I was sitting through a rather tedious meeting discussing the minutiae of data security when it occurred to me that IT was an easy target. When the GDPR panic swept through international corporate organisations, managers managed to calm themselves down with the comforting thought that this was purely an IT problem, and therefore a convenient stick with which to beat IT. Not so. When you look through the successful prosecutions that have happened since the GDPR passed into European law, you see that human stupidity and carelessness account for many of them, and organisational malice the bulk of the rest. The IT data breaches are spectacular in scale, and we are right to pore through the details and 'put our own house in order'. However, IT are, in general, the wrong target.
In terms of stupidity, we have as examples insurance companies accidentally distributing their entire client base along with eye-wateringly personal details, embedded unwittingly in a spreadsheet. We have embarrassing personal information in an email chain that eventually went outside the company. We have a social care organisation dumping old files, full of case notes, in a basement in an unsecured and unoccupied house. We have an employee of a care home loading an entire database of medical notes and personal information, taking it home, and then having the laptop stolen. Reading through accounts of successful prosecutions is fascinating.
There are so many ways of 'leaking' confidential data. I was reminded of the time I'd just visited the local amenity site for disposing of rubbish. As I dumped all my old monitors, I noticed a group of people disassembling all the dumped computers. Intrigued, I asked around, and discovered that they were given a guaranteed price for every hard drive. It was, surprisingly, well over the scrap price.
What I'm driving at is that the broader obligations that organisations have for the responsible curation of information can't be palmed off. It affects everyone in the organisation. When any sort of 'leakage' happens, you'll get a visit from the representative of your regulatory authority wearing a charcoal grey suit. The first thing he or she will first ask for is your DPIA, or Data Privacy Impact Assessment. All organizations that trade in Europe must formally assess the likelihood of data being 'leaked' or breached, and the impact it would have. This is a formal document that is signed off at board level. It doesn't matter where data may be concealed; like Schrödinger's cat, it is both breached and safe until you investigate and audit it. Where it is stored or hosted is irrelevant. You must prove that you are being responsible for good custody of it.
The board of directors, governors or trustees cannot claim they know nothing because it is now their legal obligation to know about it. If they haven't done it, and the data is breached even by human foolishness, this could lead, in Europe, to administrative fines of up to 2% of the organization's annual global turnover or €10 million, whichever is the greater.