The GDPR (General Data Protection Regulation) comes into forces this week - on May 25 - but 57 percent of employees still don't know what they are supposed to do to protect personal data, according to a OnePoll survey of 1,000 employees undertaken for London-based Egress Software Technologies.
Tony Pepper, Egress's CEO, said in a statement: "Over the past two years, GDPR has been effective in pushing data protection up the boardroom agenda, and technology and compliance teams have been working overtime to make sure their organisations are ready." However, he sees "a worrying disconnect between what organisations have agreed at a corporate level versus the communication and education of employees who will need to act out these changes."
The survey suggests that only 42 percent of employees had been provided with ways to share personal information safely, "such as email encryption, encrypted file transfer or secure project collaboration tools".
However, 20 percent "admitted to using personal apps or web services to share company documents. Unsurprisingly, personal email led the charge on this with 12 percent of respondents choosing it as one way to quickly share documents, while other answers included social media (seven percent), messaging apps (seven percent) and personal clouds (three percent)," says Egress.
"This behaviour puts personal data at higher risk of unauthorised access and makes the organisation liable for a data breach under GDPR."
Marketing departments are the worst offenders because these employees are most likely to handle personal data (96 percent of marketing respondents) and most likely to use social media accounts (70 percent).
According to the UK's Information Commissioner's Office (ICO), many reported security incidents are due to simple human errors. The most common (see bar-chart below) are:
Data posted or faxed to incorrect recipient;
Loss or theft of paperwork;
Data sent by email to incorrect recipient;
Failure to redact data;
Failure to use bcc when sending email.
One approach is to provide an encrypted email and file transfer system, which is one of the things Egress is selling. Egress Switch can be cloud hosted on on-premise. While companies pay a subscription to send encrypted messages and files, it's free to recipients, via web browsers or desktop and mobile apps. Further, users who self-identify can use the secure system to send data to subscribing organisations, such as local authorities, not just respond to emails.
Organisations that use Office 365 can also use Office Online securely inside Egress's Switch Secure Workspace.
Egress told ZDNet: "We're not advocating replacing email or fundamentally changing the way people work - we know from past precedent that typically that's not going to be a successful approach! Users simply want to get their jobs done, so security tools must enable them to both be productive and secure personal data."
Another idea is to use DLP (Data Loss Prevention) software.
Egress says that "emails can be scanned against DLP policies to force encryption of messages and attachments should users forget to do so, and machine learning can be used to highlight when an incorrect recipient has been added to an email. In this way, we can take the tools and processes staff are used to working with to help them continue doing their jobs but also avoid putting personal data at risk."
But every technology solution must be backed up with education and training.
Pepper says: "Awareness is a huge part of compliance: everyone who handles personal data should be able to identify and protect it. Organizations need to be doing all they can to provide staff with security safety nets that prevent data breaches. This can only be achieved through a blend of awareness, training and getting the right security technology to support the day-to-day work staff are doing."