The milestone date of May 25, 2018 has come and gone and the GDPR is here to stay. Much as we would like to sit back, relax and congratulate ourselves on a job well done, this date was just the beginning.
In the run up to May 25, companies rushed to introduce GDPR policies to ensure compliance under the new regulation. Now attention has turned to data breaches and how significant the fines will be, with companies experiencing a data breach finding themselves very much in the public spotlightMay 25, 2018 has come and gone but GDPR is here to stay.
In the UK, one of the earliest, notable cases of the GDPR breach has come from Dixons Carphone, who announced in June that it had been the victim of a massive attack, comprising the personal data of 10 million customer records and 5.9 million payment cards.
This comes after TalkTalk, part of Dixons Carphone´s mobile phone division, was fined the record amount of £400,000 under the Data Protection Act 1998.
The full impact on the reputation of the business has yet to be realized. It is estimated the TalkTalk data breach resulted in the loss to the business of £60M (USD 76M) and more than 100,000 customers. Dixons Carphone has already seen a drop in their share price following the breach announcement. The scale of the breach is so vast, the UK Government Communications Headquarters (GCHQ) has been drafted in to investigate. It will be interesting to watch how this pans out and whether the UK Information Commissioner’s Office (ICO) takes advantage of the new level of fines available to them and imposes a higher fine than the one previously imposed on TalkTalk.
Another breach report to watch is from Typeform, an online survey company whose customers use its software to conduct surveys and quizzes. This one is interesting as each of Typeform’s customers collects data from potentially thousands of their own customers on the Typeform platform, so the scope of the breach is magnified exponentially. Its customers include well-known names including Fortnum & Mason, Monzo and Birdseye. The breach affected the personal data of 20,000 of Monzo’s customers and Monzo has subsequently ended its relationship with Typeform.
Under the UK Data Protection Act 1998, the maximum fine that the ICO could impose was £500,000 (USD 638,000). Under the GDPR, the maximum fine is now the greater of up to 4% global turnover or €20M (USD 22.9M). A lot has been made of the huge potential fines, so it will be interesting to see how these stories play out and the level of fines levied.
In early July, Facebook were fined £500,000 for its part in the Cambridge Analytica scandal. Because of the timing of the breach, the ICO said it could not levy fines introduced under the GDPR. Elizabeth Denham, the Information Commissioner, said, “This was a very serious contravention, so in the new regime they would face a much higher fine.” When asked if this the fine under the GDPR would amount to millions of pounds, she replied, “It could.”
For Facebook, 4% of its global turnover would be USD 1.9BN.
Regardless of the fines involved, a data breach can have an enormous impact, with potential to destabilize a company for years to come, so what steps can you take to ensure ongoing the GDPR compliance and mitigate the risk of a data breach in our own systems?
Step 1 - Create and Maintain an Inventory of Your Software Estate
Maintain a complete overview of your entire software portfolio, paying particular attention to SaaS applications and those installed on mobile devices, as these are often overlooked. Identify who is using applications that access personal data and the type of data they are accessing, whether it is just names and addresses, or if it includes financial or medical data. Using this information, you will be able to prioritize and focus efforts on checking whether this access is necessary. If it is required, then document it in your Record of Processing Activity (RoPA), and if not, remove access.
Once you have your overview, run regular audits to ensure you capture any changes.
Step 2 Document How Data is Processed
Make a list of processing activities and the categories of processing activities, including the name and contact details of the data processors. You must also include details of any third parties or non-EU countries you share data with as you are responsible for ensuring they also have adequate security measures in place for the data. I’ll be intrigued to see whether Monzo and others must take some responsibility for the Typeform data breach if it’s found that Typeform did not have sufficient security measures in place.
Step 3 Assess Vulnerable Software on all Devices
Identify unpatched and old software on all devices and focus on investigating and updating those that are most critical to you. Also check for software that has reached its End of Life (EOL). Many companies run old legacy software as they have been using it for years with no issues, but software vendors no longer provide fixes or security updates to these versions, so you should upgrade or remove them.
Step 4 Train Your People
Make sure your staff are trained on the GDPR rules and responsibilities and continually retrain them as they change roles and new people start.
Your staff should be fully aware of the importance of personal data and how they could personally cause a breach. With this knowledge in place, they can play a vital role in minimizing risks and identifying breaches if they occur.
Not all data breaches have to be reported, only those that affect the rights and freedoms of individuals. It is your responsibility to judge whether the breach could have a significant detrimental effect on individuals and if it’s likely, the breach must be reported to the ICO.
Achieving and maintaining GDPR compliance is complex, time consuming and expensive. The main thought to keep in mind is that GDPR compliance is a continual process and the more you refine it, the better it will become.
The GDPR may have a positive impact on your business as all the personal data you have will belong to people who have agreed you can have it, and by extension will be receptive to contact from you. Some companies have already seen an opportunity and found benefits from implementing the GDPR: “We have learned a huge amount about our customers, through the process of the GDPR,” says Steve Wright, Data Protection and Information Security Officer from The John Lewis Partnership, “and that is a fantastic value proposition.”