Despite what many believed GDPR was not a flash in the pan, it didn’t disappear with Brexit so it definitely is not just for Christmas! Until recently many of the enforcement actions taken by the ICO have related to unlawful and or unsolicited marketing activities. Leading many organisations to believe they’re safe!
In the last 8 months the ICO has issued penalties just short of £40 million to 3 companies for failing to protect customer information. This demonstrates that GDPR is not going away even though BREXIT has taken place. The UK Data Protection Act (2018) is UK equivalent EU GDPR directive, and is Law in the UK. This means, the risk of significant penalties still exists (20 million euros or 4% of global turnover, whichever is greater).
Many organisations have also waited with bated breath of the outcome of the Lloyd Vs Google class action. The case was brought against Google by David Lloyd a consumer activist, claiming google used 4.4 million iPhone user’s data over several months for commercial gain. The outcome did not go Lloyd way however the courts did not close the door for such actions in the future. If anything, it is a learning case that with changes could have successful. Which would have cost Google an estimated £3 billion!
Protecting your customer data, what does that really mean?
Your Organisation must implement data protection by design and default, this is now a legal requirement in the UK. This was previously known as “privacy by design”. Meaning you must;
- Have in place appropriate technical and organisational measures to implement the 7 key data protection principles. These must be effective and safeguard the rights of individuals. This is known as “data protection by design and default”.
- Integrate and imbed data protection into your data processing activities and business practices, from design through the lifecycle.
- Be able to demonstrate your compliance to UK GDPR legislation and law, this is a key risk-based approach and focusses on Organisation Accountability.
Root Causes of Security Incidents
It was a widely considered that Cyber Threat would be the greatest risk when the UK Data Protection Law was updated in 2018. The majority of which can be remediated and reduced by technical measures and processes.
In truth, since the ICO started reporting security incidents back in 2017/2018 the continued trend is that more than 65% of incidents are categorised as Non-Cyber. The root cause being the actions of a human in your organisation.
Now more than ever protecting your Organisation and its reputation sits firmly in the control of your employees.
Reducing your risk
At Net-Defence we offer a program of practical solutions and certifications to ensure you have “data protection by design and default” and an ability to demonstrate this. Learn more