GDPR has now been in place for a year and, while the ICO has previously claimed it doesn’t intend to come down too hard on businesses still getting their privacy plans straight, the heavy fines are about to hit.
This month, Marriott faces fines of around £100 million due to a data breach discovered in 2018 involving more than 339 million customer records being compromised. Earlier in the year, the ICO levied a £186 million fine at British Airways for a hack which exposed 500,000 customers’ payment details and personal information. While these are clearly the most highly publicised because of the size of the fines and companies, this shows that the ICO intends to get serious about GDPR in the near future and that small businesses can no longer afford to skate by with compliance.
These fines represent 3% of Marriott’s annual global revenue and 1.5% of the revenue of British Airways. While fines have not yet reached the maximum limit of 4% of global turnover, each fine shows just how significant insecure privacy practices can be to businesses of any size. As many as a third of UK businesses still aren’t fully GDPR compliant, leaving them open to intense scrutiny from the ICO in the future if nothing is changed.
Marriott’s fine was so large because of the sheer size of vulnerable records but also because of mismanagement in direct contravention with basic GDPR requirements – the company discovered the breach in September 2018 and waited two months to report it to the ICO, far more than the 72 hours expected under GDPR.
Here, Damon Culbert from Bioteknik explains what the five common data privacy issues are that many businesses are still tackling and how small businesses can start to get a hold of them and keep themselves compliant.
Issues with manual security measures
Often in businesses, security is manual and periodic rather than continuous, especially for small business owners who see data protection as the last of their concerns compared with establishing their company. However, this results in fluctuation in compliance and also leaves privacy practices open to human error.
Even a brief lapse in compliance could open a window of opportunity for any hacker, allowing personal data the business holds to be compromised. Not only will this result in issues with the ICO, but this can also be seriously damaging for the reputation of the business and can even end in monetary losses as a result.
Ensuring that a robust data protection strategy is established and that regular monitoring is an essential part of proper data protection. For businesses which manage a lot of personal data and regularly collect and hold it, investing in automation or artificial intelligence software can help maintain the required security practices and avoid human error.
Third-party data sharing
One of the most significant areas of data insecurity in business is in the transfer of data between organisations in a supply chain. It is becoming more common for large businesses to demand all partners meet a certain standard of data protection before working with them due to the risk to all data handlers under the new regulations.
To stay ahead of compliance and protect reputation with partners, organisations should aim to make their data protection practices as exhaustive as possible and ensure that their monitoring activities assess not only assets owned by the company but all third-party assets too. Making sure your link in the supply chain is up to the task, as well as all the links beyond will help your business avoid issues with the ICO.
When to ask for consent
A recent survey by tax audit advisors RSM found that over 1/3 of UK businesses don’t understand when consent is required to hold and process data. While the GDPR states that consent is only one of six lawful basis frameworks for gathering and using data and will not always be necessary, understanding when it’s right to ask for subjects’ consent is an important part of getting GDPR compliance right.
The ICO states that consent must be freely given, specific, informed and unambiguous. Some instances which are likely to require consent include:
- When you’re using data in an unexpected or intrusive way – i.e. passing it on to any other third parties
- Under e-privacy laws for marketing communications, cookies and tracking software
- When you want your customers to engage with the way you use and hold their data – this can be a useful way of building trust by allowing for more personalisation
Asking for consent is usually inappropriate when you need to share the data irrespective of the answer. For example, if sharing the data is a necessary part of the service you provide which wouldn’t be possible without it, or if consent is required before accessing your service. Both of these examples disregard the requirement for consent to be freely given and will come under a different lawful basis under GDPR.
As in the case of Marriott, the ICO won’t take lightly to improper management on the discovery of a data breach in the future. If your business suffers a hack or other type of privacy breach, having an established recovery process will help mitigate the damage and will be received well by the ICO. Whether this involves cyber insurance or a team member dedicated to cybersecurity, ensuring as little data is risked as possible and that the gaps in your security are closed quickly will help protect your business.
Any breach discovered must be reported to the ICO within 72 hours and any customers potentially affected need to be informed as soon as possible. If these requirements aren’t followed, you could risk stricter punishment as well as a loss of respect from clients and a severely damaged reputation.
Right of access
Under GDPR, all European data subjects have the right to access all the data an organisation holds on them. If a subject chooses to request this data, it must be supplied within a month of the request. For small business owners, organising the collection of a specific customer’s data can be a difficult and time-consuming task. Planning out a process ahead of a request ensures that, should any customer exercise their right to access in the future, the business stays compliant and hands over the data within the month.
While the drama of GDPR fines might currently be playing out in the media, taking simple steps to secure all data and ensure all data-related practices are compliant will enable co-operation with the ICO and help your business in more ways than one.