Regulation (EU) 2016/679, the General Data Protection Regulation (hereinafter, the GDPR), requires companies and institutions to adopt appropriate technical and organisational measures to ensure the security, integrity and confidentiality of the personal data they process (Article 32).
It also defines a personal data breach as “any incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data” (Article 4(12)), and adopts a risk-based approach. This requires organisations to analyse the potential threats affecting information and to implement security measures proportionate to those risks.
In this context, attention and efforts are often focused on technical solutions: encryption systems, firewalls, backups, antivirus software, and similar tools. All of these are necessary, but not sufficient, as they do not, on their own, guarantee an adequate level of security.
What is the point of making a major investment in technology and information security if the workforce is unaware of it?
This means that organisational and human measures must also be included in order to address and mitigate one of the most significant risks: the human factor. Without staff commitment and proper training, any technical measure may fail, since security breaches may arise not only from sophisticated cyberattacks, but also from simple human errors, such as downloading a malicious file, sending an email to the wrong recipient, or losing devices containing sensitive information.
Moreover, as the Spanish Data Protection Authority (Agencia Española de Protección de Datos, hereinafter the AEPD) has repeatedly stated in various sanctioning decisions, the fact that an infringement occurs “without intent” or “by mistake” does not exempt the data controller from liability.
What role does the workforce play in preventing incidents or security breaches?
In every organisation, the principle of proactive accountability must prevail. This principle is understood as the obligation not only to comply with data protection regulations, but also to be able to demonstrate such compliance to authorities and data subjects, by applying measures such as data protection by design and by default (Articles 5(2) and 25).
Does this mean that data protection training for staff is mandatory?
The answer is that it is not an explicit requirement for all employees in all situations. However, organisations are expected to ensure that their staff understand their obligations in order to prevent security breaches.
The AEPD has indicated that training should be appropriate, ongoing and tailored to the role performed, especially in entities that have appointed a Data Protection Officer or that process special categories of data.
Examples of measures that employees should take into account to protect the information they handle include the secure management of email, such as verifying recipients before sending personal data, using CC and BCC fields correctly, checking attachments, and following established protocols in the event of an error.
They also include the detection and prevention of phishing and social engineering techniques, as well as the secure management of passwords and access credentials. This entails using unique and strong passwords, prohibiting password sharing, locking sessions when leaving the workstation, and similar practices.
Other measures may involve the secure use of devices and physical media, as well as the proper handling of paper documents, from their appropriate storage to their secure destruction when they are no longer needed.
Therefore, staff training and awareness are key elements in incident prevention. Organisational culture should encourage the early identification of potential incidents and the internal reporting of any anomalies, as well as the prompt notification to the supervisory authority of any personal data breach, as required by Article 33 of the GDPR.
In this way, not only is the likelihood of incidents reduced, but the organisation’s ability to respond effectively is also enhanced.
In conclusion, the protection of personal data requires going beyond mere regulatory compliance and technical solutions, by integrating an awareness culture and appropriate training as preventive security measures.
If you are interested in receiving information on data protection or in arranging training for your company’s workforce, simply get in touch with us.
Article by Imma Martí.
