Human factors unveiled: Investigating hidden causes of data breaches: it’s not just about the individual!

By Becky Hall Information Governance Manager, Naomi Korn Associates

I was delighted to present at the IRMS (Information Records Management Society) annual conference which took place from the 12th to the 14th of May 2024. The theme this year was Tides of Change: Surviving and Thriving in a Sea of Information with the focus on equipping attendees with skills and knowledge to help them navigate the ever-changing environment that they work within.

My talk ‘Human factors unveiled: Investigating hidden causes of data breaches: it’s not just about the individual!’ explored the need to look beyond the idea of human error being the cause of data breaches. By discussing a three-tier approach to data breaches, the talk highlighted the importance of recognising initial, underlying, and root causes as separate issues. By doing so, I discussed how these factors can be appropriately recognised and practical actions implemented to help reduce the likelihood of the same, or similar, incidences from happening again.

?The range of talks offered over the conference covered a wide range of topics presented by speakers from a variety of organisations with presentations on:

• Microsoft 365/SharePoint
• AI and machine learning
• Data management and data strategy
• Environmental sustainability
• Data protection

Unsurprisingly, AI and its application was a prime focus of the conference. Key messages included only introducing AI where there is a genuine business need in that it fulfils a specific purpose, for example replacing a process that is excessively time-consuming or where the organisation can see a strong use case. This acts as a reminder that in terms of adhering to a privacy by design culture, the implementation of technology needs to be carefully considered and risks balanced against the benefits. With the growth in AI products, there is a focus on being aware of what organisations are putting into such systems, and making sure that this information is relevant and accurate. Thus, the outputs of AI need to be monitored highlighting the importance of human involvement in the process.

Key take aways from the conference included the need for robust records management, including deletion, ensuring that records are only retained when necessary and that their retention period is complied with, which is part of the requirements under the data protection legislation but also reduces the risk of a data breach. Within the context of environmental sustainability, the need to reduce unnecessary digital documents that are outside their retention period to help reduce the demand for energy.

The conference highlighted the importance of maintaining and growing data protection and information compliance knowledge and skills amongst professionals in the sector. CPD opportunities for those involved in data protection and information governance that are available over the next few months include:

• Privacy by Design: Data Protection Impact Assessments, 18 June 9.30am-1.00pm, a practical course that will support those who are looking to introduce or support the introduction of new technologies into their organisation but walking through the requirements of a DPIA including the legal considerations. (3 CPD points).?
• Information Security and Data Breach Management, 9 July 1.00-4.30pm, ideally for those who want to deepen their understanding and knowledge of the security principle of data protection legislation and data breach management. (3 CPD points)
• Data Protection Essentials: An Introduction, 18 & 19 September 9.30am-1.00pm, a two-part course that focusses on the fundamentals of data protection and key areas of compliance. An ideal course for those new to working within data protection or whose roles have incorporated more of a focus on data protection. (3 CPD points per half day session = 6 CPD in total)

For more information on all of our courses and scheduled dates, please follow the links or contact Naomi Korn Associates’ Training Manager on [email protected].