The corporate world is currently awash with chief executives understandably asking their data protection officers and chief information officers’ questions on their EU General Data Protection Regulation (EU GDPR) preparations.
The EU GDPR is designed to bring a level playing field to the data protection landscape across all European Union member states which currently have their own directives in place to manage data protection.
It will take effect on May 25, 2018 and will apply to any organisation – either from or outside of the EU – that offers goods or services to EU residents.
If the trade press which covers the upcoming data protection regulation is anything to go by, companies are almost too caught up in the flurry of worrying reminders that companies stand to lose either 20 million Euros or 4 percent of global turnover, whichever is reached first, should they fall foul of the regulation.
Not a day goes by that research from a security vendor says that few companies are ready for the legislation, one published recently even going as far to say that only 2 percent of organisations are GDPR compliant, and even worse some companies mistake thinking they are compliant when they are not. All round, not good news.
But some have said UK PLCs are missing the point. Speaking at InfoSecurity Europe 2017, Peter Brown, a senior technology officer from the UK’s Information Commissioners Office (ICO), said that the issue isn’t a “carrot and stick” one.
While you can use the legislation to scare board directors into submission by highlighting the risk of damaged reputation and the obvious hefty fines, Brown said the opportunity to highlight the positive side of things: the success opportunities available to those who excel at GDPR compliance.
Brown argued that companies who are fully compliant and are proactive in protecting its customers’ information will reap the rewards. He said: “It’s not about the fines, it’s about doing things right. The GDPR is a 21st century bit of legislation and we should react accordingly by adjusting our behaviour and mind set towards data.”
And it would seem that it can’t come soon enough. TalkTalk, famed for being the victim of a recent data breach orchestrated by a 15 and 17 year-old, were recently fined another £100,000 for what security pundit Graham Cluely has described as “carelessly exposing customer data”.
This recent punishment follows an earlier £400,000 fine for neglecting to tell the ICO of its aforementioned breach. The fine was the largest ever given by the ICO which is the UKs data protection watchdog.
A release from the ICO says that an investigation found TalkTalk breached the Data Protection Act because it allowed staff access to large quantities of customers’ data, including names, addresses, phone numbers and account numbers. Its lack of adequate security measures left the data open to exploitation by rogue employees.
The breach came to light in September 2014 when TalkTalk started getting complaints from customers that they were receiving scam calls. Typically, the scammers pretended they were providing support for technical problems. They quoted customers’ addresses and TalkTalk account numbers.
TalkTalk are not alone in its reoffending either. Back in May, the ICO had fined a telemarketing company £400,000 for conducting 99.5 million calls over an 18 month period, following over 1000 people complaining about automated nuisance calls.
The calls made were to enquire with regards to PPI compensation and whether or not those receiving the call had been involved in a car accident which wasn’t their fault. The company, named Keurboom Communications, according to a release from the ICO “showed scant regard” for data protection laws and the consent required to make such calls.
The problem is that when companies like Keurboom Communications is that once it receives a fine, it goes into voluntary liquidation, and the ICO then has to spend more time trying to recover the money.
The last time when a company went into liquidation following a fine was when the ICO fined Prodial, a lead generation company, £350,000 for making 46 million nuisance calls.
The ICO’s powers will be further strengthened when the government introduces a new law allowing it to fine the company directors behind nuisance call firms. Making directors responsible will stop them avoiding fines by putting their company into liquidation.
It’s occurrences like this which almost make you feel like the EU GDPR can’t come soon enough. And not because of the fines, quite the opposite, it might make companies understand the point at hand: it’s no longer OK to treat information about customers like cannon fodder. It’s something which should be respected and treated with care. And that is exactly why the GDPR is being enacted.