Since May 2018 when GDPR kicked, the ICO has been progressively investigating data breaches identified to them and no-one has been spared in their enforcements. From local Government officials illegally accessing personal data, to public bodies (including HMRC for data harvesting), to the Metropolitan Police (responding to Subject Access Requests), the NHS (for illegally accessing medical records), to regulated industries and small businesses carrying out unsolicited communications by email or telephone (affecting up to 4.5 million unsuspecting contacts). Even in one extraordinary case, a Council employee shared unredacted data about alleged gang members profiled on a police intelligence ‘Gang Matrix’ database to other Council staff and external organisations. This ended up on social media and was then used by the gang members themselves. Unbelievable, but sadly true.
Amicus ITS Director of Technology, Security & Governance, JP Norman commented: “The ICO are striking a balance between the severity of a breach individually, the volume of data affected and the harm and distress caused by the breach of security and lack of protocol. We can see from the enforcement notices published across 2018-19, the huge variety of cases that the ICO have dealt with in the last 18 months and ultimately this illustrates data responsibility is in the hands of every individual, with fallout picked up by the organisation/company directors”.
Big headliner fines this Summer featured the £183.4m fine published to British Airways following the 2018 cyber incident where users logging in to BA’s website were diverted to a fraudulent site where their personal details, payment information and travel plans were harvested. This represented 1.5% out of a total possible fine of 4% of global turnover. Plus, the £99.2m fine to Marriott International hotels group for a data breach whereby 339 million guest records globally were exposed over several years following a merger and lack of due diligence and security measures being adopted. Both organisations are seeking to defend their position. Other big names included: Equifax (£500,000), Uber (£385,000), and Yahoo! (£250,000) for cyber security failures.
Against this backdrop, the ICO Annual Report for March 2018-19 published in July 2019 recognised that 82% of personal data breaches investigated had been closed with no further action, as corrective measures to avoid a repeat had been taken or were being acted upon, which we should take as positive news as organisations learn to manage their data more responsibly.
JP Norman adds: “All organisations face the same responsibilities around data management and data security. At the heart of good practice is education and staff training. This can identify what is appropriate when sharing data and that if approved, it is done lawfully and safely. Organisations, institutions and businesses of any size must have a Data Protection Officer (DPO), who may also be the Data Controller if appropriate. These representatives need ready access to policies and guidance around data security and measures to be taken in the event of any breach, which can be evidenced and practised as part of a smart Business Continuity Plan. This can be intimidating for businesses of even medium size to get to grips with and act confidently so we often see the DPO function outsourced”.
Amicus ITS recognises the challenges organisations face and earlier this year published our new Virtual Data Protection Officer service on G-Cloud 11 for public sector customers. Notably, this service is equally available to SMEs. Any organisation that is unsure if it has the right security policies and security measures in place can contact Amicus ITS in confidence. If the service is taken up, this security consultancy could not only save you £000s but also help protect against reputational damage which can be priceless. Call our Sales team today for a free initial discussion on +44 2380 429429.