Is GDPR Understanding A Training/Awareness or Cultural Issue?
Sometimes I read these statistical articles and the reaffirm my knowledge and experience, unfortunately, the attached is no exception. Training and awareness are still an issue with U.S. based employees. The fact that 84% of employees surveyed in the U.S. have never heard of GDPR, 90% unaware of the California Consumer Protection Act and 97% unaware of the Vermont’s data privacy law, although possibly understandable is of concern. Especially when approximately 65% said they deal with sensitive data daily. This comes as no real surprise as, in my opinion, most US based companies, despite their global nature, don’t really train employees on how to handle sensitive data.
If I think about it, I have had security awareness training, but I really don’t recall any specific privacy awareness training. Training on how to be aware of and handle data that comes into an organization. The fact that most companies are horrible at data classification supports this as well. I think it may be assumed that employees that receive annual cyber security awareness training will get both the cyber security and privacy aspects. But I believe this is just another case of losing site of the data… i.e. the information part of information security.
It is also interesting that in the attached article that 43% of the respondents in the U.S. felt that a technical solution was the answer, while only 4% of respondents in the UK felt technology was the answer. This too points to a cultural distinction as to how to people believe the challenges of cyber security and privacy can be solved. Say it with me…. technology cannot solve security’s problems because technology IS security’s problem!