By now, the business world is well aware of GDPR and the endless brain-aches that it presents to business owners around Europe. Its enforcers, like the UK’s ICO, are handing out fines like Jurgen Klopp hands out hugs. According to DLA Piper, an average 275 breaches per day were recorded across the EEA between mid-2018 and the start of this year, and there is no sign of it slowing down.
These numbers shocked us and we were keen to understand where the biggest risks facing our clients are… so we switched off the Great British Bake Off and we got to work (it was biscuit week so I hope you’re grateful).
It did not take long to identify one key area that could save our clients millions. Cyber security. In the UK, the two largest fines ever proposed by the ICO for a GDPR breach were both issued against companies that were victims of cyber-attacks.
In 2019, British Airways were notified that they would be issued a soaring fine (pardon the pun) worth roughly 183 million pounds. The largest ever. For context, that is around 50 million pounds more than it cost to build “The Gherkin”. Criminals had diverted user traffic from the British Airways website to a fraudulent site, where the customers’ personal details were harvested by the attackers. Around 500,000 customers’ personal data was compromised. The ICO found that British Airways, and its poor security arrangements, were to blame.
In the same year, Marriott International was also sanctioned by the ICO. The story is familiar. An unauthorised party compromised the company’s guest reservation database and harvested the personal data of customers. The ICO deemed that, among other things, the company should have done more to secure their systems. The damage? Around 99 million pounds, or for further context, the rough cost of Donald Trump’s annual tanning bill.
Prepare to succeed
In all seriousness, if you have not done so already, it is time to make sure that your data security measures are up to scratch. The ICO has demonstrated that it is unconcerned as to whether your breach is due to the malicious acts of somebody else. When deciding on fines, it is only concerned about how far a company went to protect its customers and their data in the first place.
So, what can you do to ensure that your security systems are GDPR compliant? Well, with the way 2020 has panned out, we assumed that you might be fed up of detangling convoluted government rules… so to make things simple, we have set out some top tips, straight from the ICO themselves:
- Make sure that you have carried out an analysis of the risks that your data processing creates;
- Use this risk analysis to assess how robust your security measures need to be, and use this to create and implement an information security policy;
- Consider the costs of installing appropriate security measures and plan how you will budget for them;
- Regularly review your information security policies and measures and improve them wherever necessary;
- Research and understand the specific data security measures that you may have to take to cover the unique risks of your specific industry;
- Use encryption and pseudonymisation wherever possible;
- Understand and respect the principles or confidentiality, integrity and availability when handling personal data;
- Install an appropriate backup process, ensuring that you can restore access to lost personal data;
- Ensure that any data processor you use also adheres to appropriate technical and organisational measures.
Of course, sometimes these measures are not enough and often each client will require specialised advice. If you would like to know more about how you can protect your business from the risks of cyber attacks and resultant data breaches, drop us a message or contact us via the link below.
Until then, take care, stay safe and enjoy your week.