airBaltic’s email distribution system recently experienced a technical error, resulting in passenger information exposure. The affected passengers received emails containing other customers’ names and reservation details, but no financial data was compromised. Disclosing personal information such as names, birth dates, and email addresses violated passengers’ trust. This was a breach of the airline’s duty of confidence.
airBaltic Airlines should have had strict data protection and privacy practices to avoid such scenarios. Globally, various laws governing data protection and privacy are in place. The laws ensure that individual data is kept confidential unless a legitimate justification and legal intervention are required for its disclosure. General Data Protection Regulation (GDPR) is one of the most strict legislative acts in the world that ensures data protection in Europe.
GDPR is a regulation that safeguards EU citizens’ data and privacy, which is processed during business activities. The act establishes new data privacy standards for customers, thus enhancing the customers’ trust.
What is GDPR?
In 2016 the European Union (EU) adopted the General Data Protection Regulation (GDPR), replacing the old 1995 data protection directive. GDPR is a regulation that safeguards EU citizens’ data and privacy, which is processed during business activities. The act establishes new data privacy standards for customers, thus enhancing the customers’ trust. GDPR is valid in every country within the EU and within the companies outside the EU that process EU citizen data.
Since the implementation of GDPR, there has been an increase in transparency regarding the processing of business data, resulting in stricter regulations on data security. These standards are uniform across all companies within the 27 EU member states. Non – compliance can cost the companies hefty fines.
What are the types of data covered under GDPR?
The GDPR safeguards several types of identifiable information known as identifiers, including name, identification number, location data, and online identifiers like IP and cookie identifiers. This includes all forms of digital data, such as personal identity details, online activity, health and genetic information, sexual orientation, biometric data, ethnic information, and political beliefs.
GDPR only regulates personal data that directly or indirectly identify individuals. Completely anonymised data, where identification is impossible, falls outside its scope. Moreover, it’s crucial to understand that not all data is treated the same under GDPR. Certain data types, such as criminal convictions and offences, are considered more sensitive and subject to stricter processing conditions.
Who is held responsible in the event of a data breach in the organisation?
The General Data Protection Regulation (GDPR) applies to data processors and controllers. Data processors handle personal data on behalf of a controller, which can be a third-party company such as a cloud partner offering services to an organisation. On the other hand, a data controller is the senior authority of an organisation responsible for determining the purpose and means of data protection. If there is a data breach involving an organisation’sorganisation’s employees and customers, even if the data processor is solely at fault, the organisation and the service provider are accountable.
Understanding the fundamental principles of GDPR
Technological advancement has led to an increase in the generation, collection and processing of personal data. This has consequently levelled up the challenges and concerns for both individuals and organisations in protecting personal information, maintaining the trust and reputation of customers, and adhering to regulations. Let us understand the data protection and privacy concept more thoroughly through the European Union’s General Data Protection Regulation Act. (Art. 5 GDPR)
The core principles that form the foundation of most data protection laws serve as essential guidelines for collecting, processing, storing, and managing personal data. These principles ensure that organisations handle personal data responsibly and ethically while upholding individuals’ privacy rights. Adhering to these fundamental principles is crucial for maintaining robust data protection practices. The fundamental principles which can also be considered best practices for data protection and privacy include:
Lawfulness, Fairness and Transparency
Any organisation collecting personal data must ensure the process is lawful, fair, and transparent. Organisations must have legitimate reasoning as to why they are collecting the data and how they will use it. Furthermore, they must communicate this information clearly to the individuals whose data is being collected, upholding their right to be informed under the GDPR.
Before collecting personal data, the purpose should be clearly defined, and data should only be gathered for specific, explicit, and legitimate reasons. Obtaining the individual’s consent before processing their data is crucial. Additionally, any further processing of the data must be compatible with the original purpose for which it was collected.
Never collect personal data assuming it might become helpful in the future. Instead, gather only the data necessary for the intended action and refrain from retaining the collected information for longer than necessary. Make sure that the collected data is accurate and up-to-date. Organisations must provide the provision to update or delete any inaccurate or incomplete information.
Make sure that the collected data is accurate and up-to-date. OrganisationsOrganisations must provide the provision to update or delete any inaccurate or incomplete information. Organisations must establish routine data review processes to ensure continuous accuracy and relevance, safeguarding the integrity of the data they hold.
Never keep the data longer than it’s needed. Once the intended purpose of the personal data is over, it should be deleted or anonymised unless there is a legal requirement to retain it.
Integrity and confidentiality
Appropriate and adequate security measures must be in place to protect the data from loss, unauthorised access, disclosure, alteration or destruction. This includes ensuring the confidentiality, integrity, and availability of the data, as well as safeguarding against accidental loss or damage.
Companies should be accountable for their privacy practices, including conducting privacy impact assessments, designating a privacy officer, and complying with privacy regulations. Moreover, organisations must be able to demonstrate their compliance with GDPR through proper documentation and readiness to cooperate with regulatory authorities.
How to deliver effective GDPR awareness training for your employees?
Conduct risk assessment
To gain insight into potential risk areas, assessing your organisation’s networks, systems, and digital assets is beneficial. The resulting reports can be used to develop targeted awareness training for employees. As a result, they will be better equipped to navigate potential risks by having the knowledge and decision-making skills to do so.
Deliver weekly or quarterly newsletters
Create informative newsletters that include images, videos, and reports highlighting the current state of cyber threats. Connect these updates to GDPR laws and policies clearly and concisely, using examples or comic strips to simplify complex concepts. Keep employees informed of revisions to GDPR, and engage them with fun quiz sessions and prizes for top performers.
Say bye to long boring, guide-like materials
Not all employees have the same knowledge or understanding of the delivered topic. So instead of making it lengthy with boring texts, incorporate hands-on training and visually attractive images that grab the attention. Make the course available so they can attend them any place on any device.
Content quality is more important than size. However, longer courses provide a broader understanding of a topic. In contrast, shorter courses focus on specific areas and can be completed in 5 minutes. Micro-learning and e-learning serve different purposes. Micro-learning is ideal for keeping employees up-to-date on cyber security awareness during work hours, while e-learning is better suited to a comprehensive understanding of a vast topic, which can be given to employees once a month to review what they have learned.
We at Security Quotient offer micro-learning and e-learning courses to help your employees build their security awareness stature. We have developed a micro-learning app, which delivers courses on various topics. The stand-out factor is the under-5-minute courses and an on-the-go learning approach with the help of interactive quizzes.
Here is a recommended GDPR awareness training syllabus.
1. GDPR Overview
- The basics of GDPR
- The types of data that GDPR protects
2. The fundamental principles of GDPR
- Lawfulness, Fairness and Transparency
- Purpose Limitation
- Data minimisation
- Storage limitation
- Integrity and Confidentiality
3. Understanding Key terms
- Data Controller
- Data Processor
- Data Subject
- Personal Data
- What are Identifiers?
4. Understanding the rights of data subjects
- Overview of individual rights under GDPR
- Explanation of each right, including access, rectification, erasure, data portability, and objection
- Case studies on how to handle requests related to these rights
5. GDPR and Employee data
- Handling of personal data in an employment context
- Privacy notices for employees
- Special considerations for sensitive employee data
6. Data Breaches under GDPR
- Who is liable?
- How to report a data breach?
7. Review and Assessment
- Summary and quiz.
Let’s wrap up
In today’s digital age, protecting personal data is not only a legal obligation but also a social responsibility, especially since data is often considered the “new oil.” To ensure compliance and promote a culture of data protection within your organization, it’s crucial to train your employees on GDPR. By investing in a robust GDPR training program, your team will be well-prepared to handle personal data responsibly and adapt to changing data privacy laws and regulations.