When GDPR was first being whispered about, I’m sure there were many within the British business community who suspected it would all be a bit powder-puff. Those who doubted it would ever come to much and suspected that the regulators wouldn’t be given the power to let it have true effect.
Even when the maximum fines were announced as being up to 4% of global turnover (depending on severity and negligence), many would have simply brushed it off as posturing, a big stick being waved at them by Government.
Well, there can’t be anyone left in that school of thinking now!
The Information Commissioners Office (ICO) showed off both its intentions and power this week by handing British Airways the equivalent of an advisory note, telling them it was going to be fined an eye-watering £183m for a significant data breach. It made a massive splash. Despite the latest Donald Trump diplomatic row and the fact our new Prime Minister was set to be announced, the massive fine was on every news outlet and trending on Twitter for more than 24 hours.
When the ICO then followed up with an equally intriguing fine of £99m for the US-owned Marriott Hotel Group – demonstrating the extended legal jurisdiction of the new Data Protection Act – it left businesses wondering who might be next and, more importantly, could it be us?
Just to put these in some context, the highest previous fine was £500,000 – the maximum allowed under the previous law – which was handed out to Facebook for the Cambridge Analytica case. You have to wonder what Facebook might have been fined with under the new laws, considering 4% of their revenue would equate to approximately £1.8 BILLION…it’s no wonder they’re setting aside more than £2bn to help secure their Data Privacy systems and procedures.
Now, of course, these data breaches have been known about for some time, and been referenced by those who talk about GDPR on a regular basis since the investigations were announced, but the wider public and many small business owners were probably only fleetingly aware of them. Big numbers create big headlines, and so it proved this week.
Headlines result in action, and you can only imagine some of the conversations that have taken place in the open-plan corridors of the biggest organisations this week. Data Protection Officers and Head of IT Security will have been rapidly called to confirm “this can’t happen to us, can it?”. They’ll have teams of people checking their processes again, ensuring the latest Cyber Security patches are installed and doing a belts and braces exercise on their processes.
But what of the smaller business? Those owner-run organisations, local government departments or smaller charities who may not be 100% sure of their responsibilities?
Some took the initial introduction of GDPR very seriously, and spent time and resources de-risking their business. Others introduced the almost obligatory Privacy Policy but did little else to actually change anything internally. Many many others did nothing at all…
And, whatever may have been achieved by even the best practitioners, those tasks were completed more than a year ago, so plenty might have changed in that time. New staff may have come into the business and need training. Processes and systems may have changed – have they been checked for compliance?
When you introduce a new piece of equipment or machinery into a factory environment, the engineering team or Health & Safety officers will do a validation check to make sure it’s safe to use. This goes as far as the kettle or toaster in works kitchens.
That is the approach – the mindset – now required for data security too. If updates are made, if personnel changes, if IT software packages are altered, you should review if there is any impact on your standard data protection.
Whether that’s marketing and CRM management, HR’s personnel processes or online payment systems, organisations are now FULLY responsible for keeping our personal data secure.