Lessons from the latest ICO fine

Do you hear that sound?  It’s the deafening groan of all those people having to take their mandatory GDPR training.  It’s not going to surprise you, but I quite like doing data protection training.  It’s also probably not shocking to hear that the training I give to clients and colleagues tends not to be of the cookie cutter “law says this, you do that” variety.

Earlier this week the UK ICO issued a £4.4 million fine to an English construction firm, Interserve, in relation to poor security practices which led to a phishing attack that affected more than 110,000 of its employees.  As is usually the case with these penalties, there are a number of interesting takeaways – and this one is no different.  Since we’re on the topic, let’s look at what the ICO says about staff training.

• Interserve had an IT Training Policy in place during the period in which the ICO considers that the company’s security practices weren’t GDPR-compliant.
• At the time of the attack, one of the two employees who received the phishing email had not undertaken data protection training, contrary to the requirements of the Policy and various industry standards and best practices.
• As a result, the lack of training for the individual in question “exposed Interserve to risks of the kind giving rise to the [attack]” and contributed to a breach of Article 5(1)(f) of the GDPR.

So far, so straightforward: be able to demonstrate that your employees have sat through their data protection training and it’s one less stick the regulator can hit you with?  That’s certainly one way of looking at it. 

As an aside, I do find it curious that the person who opened the suspicious email had been given training, whereas the person who forwarded the email hadn’t.  I’m guessing here, but it does sound like the second employee suspected the email might have been dodgy and forwarded it to the first employee for confirmation.  To absolve the first employee because they had training and yet still did the wrong thing seems odd, but there we go.

And even if training = good, we’ve all given sessions where it’s painfully obvious that an attendee is scrolling social media or thinking about what’s for dinner or — god forbid — sleeping.  Same with the online training where people simply turn down the volume and click through the slides as quickly as possible without raising suspicions.  If an employee treats their training as a joke, do they make a sound, et cetera.

The better approach is to treat training as an opportunity to genuinely engage people so that it’s not a box-ticking exercise, but actually helps them to think about doing the right thing.  In other words, you may be able to show the regulator a piece of paper that proves employee X attended training on day Y, but (1) that’s unlikely to work every time, and (2) it’s ultimately not the way to create an ethical culture.

Creating that culture is not easy, of course.  The ICO has helpfully publicised some of its training materials (at https://ico.org.uk/for-organisations/posters-stickers-and-e-learning/training-resources-for-your-business/), which is a good start.  But is it enough?

The sharpest of you may have noticed a nuance in point (2) above.  I didn’t refer to a culture of compliance, but rather to creating an ethical culture.  Not just complying in so far as attending training, but actually understanding the wider reasons behind the risks being covered and forming the right mind-set to recognise issues as they emerge in your day to day.  Maybe that’s where the first employee went wrong at Interserve.

As my colleagues in the R&G Insights Lab would say: training employees about risks that manifest because everyone is human and fallible requires a human-centered approach.  If you’re not incorporating insights about human behaviour into how you train (and indeed what you train for), it’s not going to be enough when the regulators come calling.