Classes From The Newest ICO Positive – Data Safety

To print this text, all you want is to be registered or login on

Do you hear that sound? It’s the deafening groan of all
these folks having to take their obligatory GDPR coaching. It’s
not going to shock you, however I fairly like doing knowledge safety
coaching. It’s additionally most likely not surprising to listen to that the
coaching I give to purchasers and colleagues tends to not be of the
cookie cutter “legislation says this, you do this” selection.

Earlier this week the UK ICO issued a £4.4 million positive to
an English building agency, Interserve, in relation to poor
safety practices which led to a phishing assault that affected
greater than 110,000 of its staff. As is normally the case with
these penalties, there are a selection of attention-grabbing takeaways
– and this one is not any totally different. Since we’re on the subject,
let us take a look at what the ICO says about workers coaching.

  • Interserve had an IT Training Policy in place through the interval
    during which the ICO considers that the corporate’s safety
    practices weren’t GDPR-compliant.

  • At the time of the assault, one of many two staff who
    obtained the phishing electronic mail had not undertaken knowledge safety
    coaching, opposite to the necessities of the Policy and numerous
    trade requirements and greatest practices.

  • As a outcome, the dearth of coaching for the person in
    query “uncovered Interserve to dangers of the type giving rise
    to the [attack]” and contributed to a breach of Article
    5(1)(f) of the GDPR.

So far, so easy: have the ability to show that your
staff have sat via their knowledge safety coaching and
it is one much less stick the regulator can hit you with? That’s
definitely a technique of taking a look at it.

As an apart, I do discover it curious that the one that
opened the suspicious electronic mail had been given coaching,
whereas the one that forwarded the e-mail hadn’t.
I’m guessing right here, however it does sound just like the second worker
suspected the e-mail may need been dodgy and forwarded it to the
first worker for affirmation. To absolve the primary worker
as a result of that they had coaching and but nonetheless did the unsuitable factor appears
odd, however there we go.

And even when coaching = good, we have all given periods the place
it is painfully apparent that an attendee is scrolling social
media or fascinated about what’s for dinner or — god forbid
— sleeping. Same with the web coaching the place folks merely
flip down the amount and click on via the slides as rapidly as
potential with out elevating suspicions. If an worker treats their
coaching as a joke, do they make a sound, et cetera.

The higher method is to deal with coaching as a possibility to
genuinely have interaction folks in order that it isn’t a box-ticking
train, however really helps them to consider doing the suitable
factor. In different phrases, you might be able to present the regulator a
piece of paper that proves worker X attended coaching on day Y,
however (1) that is unlikely to work each time, and (2) it is
in the end not the way in which to create an moral tradition.

Creating that tradition is just not straightforward, in fact. The ICO has
helpfully publicised a few of its coaching supplies (at,
which is an effective begin. But is it sufficient?

The sharpest of you’ll have seen a nuance in level (2)
above. I did not check with a tradition of compliance, however fairly to
creating an moral tradition. Not simply complying in as far as
attending coaching, however really understanding the broader causes
behind the dangers being lined and forming the suitable mind-set to
recognise points as they emerge in your day after day. Maybe
that is the place the primary worker went unsuitable at Interserve.

As my colleagues within the R&G Insights Lab would say: coaching
staff about dangers that manifest as a result of everyone seems to be human and
fallible requires a human-centered method. If you are not
incorporating insights about human behaviour into the way you practice
(and certainly what you practice for), it isn’t going to be sufficient
when the regulators come calling.

The content material of this text is meant to supply a common
information to the subject material. Specialist recommendation ought to be sought
about your particular circumstances.


Subject Access Requests, Delays And Claims


The statutory knowledge safety regime has openness and transparency at its core. A key element of that is that folks (knowledge topics) have the suitable to entry their private knowledge.

New EU-US Data Privacy Framework

Preiskel & Co

President Biden signed an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities” (“Executive Order”) on 7 October 2022.

We Lost You For A Minute There

Ropes & Gray

Europeans and Americans do not all the time see eye to eye — on soccer, portion sizes and flag flying, amongst others.