Urgent improvements needed to corporate data lifecycle management
No-one can deny that the availability and use of data in enterprises is at an all-time high. The growth of […]
British businesses have been hit by over 10,000 data breaches in the GDPR era – British Airways was one of the biggest. A data breach that was reported by the airline in September 2018 disclosed that 244,000 payment cards had potentially been compromised in a hack the previous year. The new GDPR regulations state that any breach should be reported within 72 hours, so BA have avoided a financial fine, but their reputation for managing personal data was arguably compromised.
The biggest GDPR fine yet was handed out to Google France – that was some £44m, given by the French data protection watchdog, CNIL, in January. CNIL found that Google failed to offer users transparent information on data use and made it too difficult for users to find essential information, ‘such as the data-processing purposes, the data storage periods or the categories of personal data used for the ads personalisation’ – privacy notices that were split across myriad documents, help pages and settings screens, for example.
The Information Commissioner’s Office (ICO) fined Facebook £500,000 for serious breaches of data protection. Whatsapp and a series of other social media giants are also being probed.
Everything from new, up-to-date data retention policies have been written, as well as GDPR awareness training sessions for anyone who handles personal data within the organisation. Senior management teams have also undertaken senior advisory workshops and best practise on what do when a breach occurs.
The Google France fine should prompt businesses to sit up and take note.
It’s not just the financial levy imposed on businesses, but the reputational damage that follows these – newspaper headlines for a data breach are never a good thing in highly saturated, competitive marketplaces – as this can erode trust in the brand.
Many stakeholders within small-to-medium-sized organisations have (anecdotally) claimed that the fines that a post-GDPR world warned of, haven’t materialised. In short, the Google France fine could be the tip of the iceberg.
Universities, law firms, pharmaceutical companies and banks should all be poised to carefully explore what’s in their records stores, as much of the data will contain documents belonging to individuals which may breach their retention policies. All it takes is one subject access request to prompt a business into action.
Absolutely. There’s an emerging trend in hackers using personal data within the mass of unstructured data that any business holds – a Word document, PDF or e-mail are all examples – to access the prized personal data of organisations.
In an always-on, social media-driven world, the likelihood is that GDPR breaches are happening on a daily basis and we’ve probably just seen the tip of the iceberg so far.