The news that Carphone Warehouse was fined £400,000 by the Information Commissioner’s Office (ICO) for a data breach in 2015 has made a lot of people nervous. It is the largest fine ever to have been issued by the ICO and suggests that a new precedent is being set after years of negligible fines. In addition, the new General Data Protection Regulations (GDPR) coming into force in May of this year includes much more stringent rules regarding a business’ obligations to store, protect and manage customer data.
Many companies are currently looking at their policies and procedures when it comes to areas such as opting people in to marketing list, managing customer requests for data and IT security. These all play a valuable role, but they need to be backed up by the right infrastructure to make sure that a company can fulfil the requirements.
Security is a big issue; the Carphone Warehouse fine was due to the unauthorised access of customer and staff data after being hacked. It may appear that this isn’t the company’s fault, but the ICO found that the company didn’t take adequate measures for an organisation of their size to protect against such measures. Under the new rules, fines for data breaches are increasing; the maximum fine has increased from £500,000 to €20 million OR 4% global turnover. It’s not only the accessing of data that can cause problems – failure to report a breach, when required to do so, can also result in fines.
The size of the fines may seem daunting for SMEs but both the fines and expectations are carefully scaled. An SME with 15 staff wouldn’t be expected to have the same levels of security as a multi-million-pound blue chip company, and the fines wouldn’t be as severe – although of course even a smaller fine could have a big impact. What is important is that you have both policies and an infrastructure in place which demonstrates that you have taken reasonable measures to protect the company. From lax policies to out of date kit or a lack of data recovery resources, there are many ways you might fall foul of the ICO if you are hacked.
Given the number of headlines about hacking and security breaches, many companies may have recently completed a security audit. There are other rules relating to the GDPR which require consideration, however. There are special protections in the new rules relating to children’s personal data, and sensitive personal data, which will soon include genetic and biometric data. The time scale for responding to subject access requests is decreasing from 40 days to a month and companies can no longer charge for dealing with a request.
There are also new rules about international transfers which may have an impact on a global organisation because any data transfers outside the EU will be subject to restrictions. There has been a lot of focus on the customers’ right to be forgotten – data subjects can request deletion of their personal data in certain situations.
In all those cases, having the right infrastructure can help – from secure storage and backup to security and simple, provable deletion of data, you can build these requirements into your current set up. It may be worth enlisting specialists to make sure you make the right resource investments in coming months. Colocation, for example, ensures your kit is well maintained in a secure, controlled environment and could provide proof of both security and good practice when it comes to storage and backup of data. The GDPR may be making additional demands on your infrastructure, but if you take a strategic approach, many will be to the benefit of your business in the long run.