• GDPR, the regulator and you
  • GDPR, the regulator and you

    All organisations that handle personal data, at any level, are obliged to protect it from prying eyes. Individuals who share their data with you - wittingly or unwittingly - have to trust that you won't share it in a way that identifies them. Some organisations might claim that they've anonymised the data, which sounds good, but if any elements of that data could be combined to lead back to the individual - a post code, sex and age, for example - then it is not private at all. Others might claim to encrypt data so that, even if it's stolen, it can't be understood. This could be good, providing the encryption keys cannot be discovered and associated with the stored data.

    The arrival of the General Data Protection Regulation (GDPR) in 2018 gave Supervisory Authorities, such as the UK's Information Commissioner's Office (ICO), the power to impose massive fines - up to 4% of turnover - on companies in the event of loss, damage or theft of people's personal data. 

    IT's secure role 

    Organisations need IT and security specialists to ensure the privacy of their precious data. If they don't, then they don't deserve to be in business. Between them, these specialists and others (the executive team, the board, legal, data protection, customer managers and PR, for example) manage all the processes around data breaches and their consequences.

    Some fast-moving departments see IT as obstructive so they set up their own ‘shadow IT' activities, quite often dealing with personal data - maybe on their own servers, maybe in the cloud. Others simply buy in (or copy) bits of JavaScript code to improve the user experience on their web pages. Unauthorised, these activities might accelerate productivity but they potentially expose the company to a greater risk of a personal data breach.

    To give an idea of the mayhem that can follow the unwitting inclusion of a bit of JavaScript code in a web page, a large well-known company (the case is on-going) centralised the storage of its scripts, including one for capturing credit card data. The script's IP address was embedded in a number of the company's transaction web pages. For a short period, no-one noticed that the script had been altered to steal all the buyers' keystrokes before they clicked the ‘OK' button to send their data, securely, to the processing banks. Neither the buyers nor the company were aware that anything untoward was happening. 

    In the event of a breach of personal data, you have 72 hours to assemble as much information as possible before notifying the ICO of a breach. While it might be tempting to expend energy on blame, it is best to park that and focus on what happened, to what data, whether it's really personal, the likely scale and impact of the breach, including second and third order implications. 

    Avid Life Media ran websites that facilitated affairs between its customers. It gave the hollow promise that personal data would be "anonymous" and "100% secure." A hacker stole 36 million personal records from two of its websites and threatened to publish the data if the websites weren't closed. They weren't and the records were made public. The hacker originally entered the system by using a company insider's login details. 

    A report on the ALM breach by the Privacy Commissioners of Canada and Australia included the statement, "It is crucial for organizations that hold personal information electronically to adopt clear and appropriate processes, procedures and systems to handle information security risks, supported by adequate expertise (internal or external). This is especially the case where the personal information held includes information of a sensitive nature that, if compromised, could cause significant reputational or other harms to the individuals affected." Such harm, in this case, could include reputational damage, suicide and the financial and emotional fall-out from divorce, for example.

    Depending on your company's professionalism with respect to personal data privacy, the UK's ICO can react in a variety of ways from providing advice to imposing a fine of up to 4% of annual worldwide company turnover. It is vital, in the interests of protecting data subjects, that organisations move swiftly following the discovery of a breach in order to protect those whose data they hold.

    Any company facing a serious data breach will be able to turn to their Data Protection Officer (DPO) for guidance through the minefield of gathering, organising and reporting details to the ICO. Others in the company will be able to help and advise on notifying those affected by the breach. Some marketing-focused organisations have found it hard to resist putting promotional messages in their notifications - "We're really sorry this has happened but click here to get your special discount on your next order." Resist the urge. Stick to the facts and, if you want to, send a separate email offer a little later.

    The most important thing for all organisations is to have security procedures in place and for them to be shared and understood by everyone in the company that will be affected by them. Even if the approach is off-the-shelf, its implementation will vary by company. Sample incidents need to be created and procedures tested with all involved in order to prove their practicality. 

    If your department is handling personal data and you know nothing of these procedures and tests, then you need to investigate. Remember, in the event of a breach discovery, you have only 72 hours to give the ICO a meaningful reaction. You wouldn't want to be inventing procedures on the fly.

    Sometimes it's hard to get all the information together within the 72 hours or perhaps you're not even certain that any personal data has been lost. In either case, the ICO still expects to be notified and kept up to date reasonably quickly after the initial deadline. 

    Decent data protection procedures that are followed will go a long way to spare you a fine. It's the deniers, the duckers and divers that tend to get it in the neck. Often very publicly and with great consequent harm.

    Picformark 98x98
    About David Tebbutt

    David Tebbutt loves writing for senior business professionals, mainly on how technology can support them.


    Layer 1