Until this point many of the enforcement actions taken by the ICO have related to unlawful and or unsolicited marketing activities.

In the last 8 months the ICO has issued penalties just short of £40 million to 3 companies for failing to protect customer information. This demonstrates that GDPR is not going away even though Brexit has taken place. The UK Data Protection Act (2018) is UK equivalent EU GDPR directive, and is Law in the UK. This means, the risk of significant penalties still exists (20 million euros or 4% of global turnover, whichever is greater).

Protecting your customer data, what does that really mean?

Your Organisation must implement data protection by design and default, this is now a legal requirement in the UK. This was previously known as “privacy by design”. Meaning you must;

  • Have in place appropriate technical and organisational measures to implement the 7 key data protection principles. These must be effective and safeguard the rights of individuals. This is known as “data protection by design and default”.
  • Integrate and imbed data protection into your data processing activities and business practices, from design through the lifecycle.
  • Be able to demonstrate your compliance to UK GDPR legislation and law, this is a key risk-based approach and focusses on Organisation Accountability.

Root Causes of Security Incidents

It was a widely considered that Cyber Threat would be the greatest risk when the UK Data Protection Law was updated in 2018. The majority of which can be remediated and reduced by technical measures and processes.

In truth, since the ICO started reporting security incidents back in 2017/2018 the continued trend is that more than 65% of incidents are categorised as Non-Cyber. The root cause being the actions of a human in your organisation.

Now more than ever protecting your Organisation and its reputation sits firmly in the control of your employees.

Reducing your risk

 At Net-Defence we offer a program of practical solutions and certifications to ensure you have “data protection by design and default” and an ability to demonstrate this. Learn more on our Information Security pages.