ICAEW.com works better with JavaScript enabled.

Why the human side of GDPR matters

Data breaches have a human cost, so organisations must adopt a people-centred approach to GDPR, argues insurance broker Bluefin.


June 2018

Data protection is fundamentally a human issue. And yet, relatively little is written about the human cost of data breaches. Without this focus, organisations will likely continue to view General Data Protection Regulation (GDPR) as a compliance exercise. Instead, GDPR offers a meaningful opportunity to prevent employees and clients from suffering harm.

By applying a people-centred approach you can not only comply with GDPR, but also implement lasting change to protect the individuals that all businesses rely on.

The human cost of data breaches

Do data breaches cause harm to victims? This may appear to be a simple question, but it is one that is argued in courts all over the world.

The most obvious concern for those affected lies in the increased risk of becoming a victim of crime, such as theft or identity fraud. This concern is not misplaced, particularly when we consider that Simon Dukes, Chief Executive of fraud prevention organisation CIFAS, reported in 2017: “We have seen identity fraud attempts increase year on year, now reaching epidemic levels, with identities being stolen at a rate of almost 500 a day.

For the individual, the consequences go beyond the financial loss or time spent in reporting and resolving the incident. The link between identity theft and stress or health problems is already well documented.

But what about the less obvious, intangible losses associated with data breaches? As the recent Morrisons case shows, even in the absence of financial loss, victims still suffer upset and distress. This type of harm is less researched, but emerging studies have suggested that an invasion of privacy can cause emotional trauma including insomnia and depression in victims.

Adopting a people-centred approach

If data protection is a human problem, it will also require a human solution. Here are three tips on how to adopt a people-centred approach within your organisation:

  1. Educate your people on the ‘why’ not just the ‘how’
    The greatest irony in GDPR is that although it exists to protect people, those same people are often considered the ‘weakest links’ in cybersecurity. According to research by CEB, 90% of employees admit to breaching policies designed to prevent data breaches. Real cultural change won’t be possible until employees are able to empathise with data breach victims and understand the vital role they play in protecting themselves and others.

  2. Appoint leaders to protect victims in the event of a breach
    In the event of a crisis, it’s easy to become distracted by the potential impact on your bottom line. Should a breach occur, it’s important to appoint a leader who can solely (and strategically) focus on minimising individual harm. This will not only protect those affected but will also reduce customer losses as well as the cost of the breach.

  3. Put empathy at the heart of your breach response plan
    In practice, this means much more than just listening to victims and recognising their concerns. Businesses should also help victims understand the potential consequences and take steps to repair the damage. Research from the Ponemon Institute suggests that organisations offering data breach victims identity protection services, are more successful in retaining customers.

If you’re interested in understanding how insurance can help in the event of a data breach, get in touch with Bluefin Professions.

Liked this? Read these:

London Accountant

Go to London Accountant for more features, news and opinion.
Follow us on Twitter @ICAEW_London and join us on LinkedIn: LSCA and Croydon.
Subscribe to ‘regional updates’ to receive more articles.