Tuesday 4 April 2023

Let's Go DPO: March Takeaways

the focus of our Let’s Go DPO March 2023 interactive session is to exchange ideas as to the practical data protection training/education methods you have found to be most effective or least effective when engaging with your teams. How do you measure the effectiveness?

For details of this a future events and to sign up - they are free, go to:

https://www.jerseyoic.org/events/let-s-go-dpo-march-session/

 ‘These events are a very interesting way to share knowledge, and I certainly took away some useful pointers to improve our training.’

Some takeaways I gleaned from the session:

Training of new employees on Data Protection should form part of induction training, but if not should be done within 3 months at the outset.

Companies should have a culture whereby reports of breaches are not subject to sever disciplinary action as that may deter employees from coming forward.

(In company providing JFSC regulated services , this can be "piggy-backed" on a culture of SARS [Suspicion Transaction Reports] and mandatory reporting potential SARS to the MLO [Money Laundering Officer])


It is useful to email Data Protection Tips on a weekly basis – either refreshers on Phishing or other matters. Short but memorable.

Screen saver policy (away from desk) should be checked.

In house training with real-life cases is often better than generic training online.

Data Protection Policy needs to cover software which may be external (e.g. on a mobile phone), for example:
  • Teams Use
  • Whatsapp Use

It should noted that if used outside of the office environment for example, WhatsApp is not password protected, so anyone with access to someone’s mobile can see all messages. Staff should be informed to take care what is shared, and to inform management and the DPO [Data Protection Officer] if someone else has access to their mobile. Mobiles should be secured with PIN / Password etc.

Legacy systems can be used as long as they have a suitable security “wraparound” so they can’t be accessed outside of the office environment (including 2FA remote access)

One company left fake user names / passwords on sticky fixes to see if employees would take that to the DPO when they spotted them.

Phishing training by third parties with fake phishing emails to test employees can be helpful.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)