July was a busy month for the Information Commissioners’ Office (ICO), with ‘intention to fine’ notices being issued to British Airways and Marriott Hotel Group for a combined £282m – the first under the GDPR.
Data privacy professionals have welcomed the publicity around this action but do warn that it doesn’t mean fines issued under the 1998 Data Protection Act are any less important and can be ignored.
“The fines off the back of investigations from pre-GDPR breaches should be viewed as a louder warning shot to smaller, more localised businesses,” says Andy Chesterman at Bedford-based GDPR consultancy, Privacy Helper by DAMM Solutions.
A perfect example of this is an ICO issued fine of £80,000 to an estate agency last month.
“The agency in question failed to keep their tenant and landlord data safe when personal data was transferred from the agency server to a partner organisation,” said Andy.
“The partner failed to activate an “access restriction” function on their own server, meaning the data could be fully accessible to anyone online for almost two years.
This might not seem like such a big deal to many until you learn that the database contained financial records, copies of passports, dates of birth and addresses of both tenants and landlords.
What’s more, the exposure of this data was only realised when the agency was contacted by a hacker.
Andy said the breach of this data was preventable and the blame does lie with the businesses who had collected that information.
“As data controllers, all businesses have a responsibility to ensure any personal data it holds is offered an appropriate level of protection and it is disclosed only to those authorised to view it, he said.
“When systematic failures arise in the processing of data, leading to a breach, then firms must take responsibility for this.
“As the data controller, you are ultimately responsible for ensuring the processing activities of your suppliers are ‘compliant’ with the GDPR.”
So what can businesses in Bedford do to demonstrate this “compliance” and avoid data breaches? Andy says staff training is a key element.
Andy adds: “It is even mentioned in Article 39 of the GDPR that without appropriate training, staff cannot be expected to understand how personal data should be handled and how to spot to potential data breaches within the business.
“Fines have been issued in recent years due to breaches caused by staff error, so invest in your staff and they will help to protect the data you hold.”
And it’s not just your business protocols that you have to look out for.
Working with 3rd party suppliers, especially those with direct access to personal data held by the business, should be approached with caution and an intensive due diligence process completed in advance of signing up to any service.
But there’s no need to spend sleepless nights worrying if a 3rd party you’re working with is going to find you at the wrong end of an ICO investigation.
“If you have asked the right questions, conducted the appropriate due diligence, have a formal data sharing agreement and a staff training schedule in place, then you may be protected in the event of a data breach by a 3rd party,” reassures Andy.
“Not only can you demonstrate a formal supplier on-boarding process, but you have gone to reasonable lengths to create a ‘culture of privacy’ within the business. You can even satisfy a key principle of the GDPR, accountability.”
If you’re not sure what you’re looking for, consider taking advice from a data privacy specialist – it could be money well spent.