You would have struggled to miss the recent announcement that the ICO intends to fine British Airways £183million for a data breach. A cyber incident at the airline discovered in September 2018 saw over 500,000 customers’ personal data (including bank details) accessed by cyber criminals. The ICO bared its teeth – and they are sharp!
It shouldn’t come as a surprise. Since GDPR came into force, the regulator has been telling us how seriously it takes poor security and loss of personal data. At the same time, it’s hard not to be shocked at the severity of the fines. British Airways faces a penalty of the equivalent of 1.5% of its turnover for 2017, 5% of its profits for 2019. How many businesses could afford to take such a hit? And that’s not even the full force of the ICO – which has the ability to fine businesses up to 4% of their annual turnover!
How would you fare if the ICO came knocking?
Today’s Will & Probate reported just last month how the legal sector is ill prepared for cyber-attacks but how prepared are you if the ICO came knocking? It’s easy to dismiss this in a ‘it couldn’t happen to my business’ kind of way but the highly sensitive data handled by will writers could make the industry a target – not just for cyber criminals but for the ICO.
This isn’t just speculation – it has precedence. Last year, the ICO identified the care home sector as ‘a particular area of concern’ having spotted that they were under-represented on the fee payer database. How would our sector fare if we were next on the ICO hitlist?
GDPR myths are still circulating
Many will writers believe they have GDPR compliance in the bag but are you 100% clear on what compliance involves? Would you be as confident in the cold light of a data breach, a subject access request or a complaint to the ICO? Would you say your staff are your first line of defence against non-compliance or your biggest risk? If you wavered on any of these questions, you might want to consider the GDPR myths that we are still hearing:
- GDPR is just like Y2K
25th May 2018 came and went – just like 31st December 1999 – and the apocalypse never happened right? Well that’s where the similarities end. Despite what many still believe, GDPR is not like the Y2K millennium bug. The requirement to prepare for it didn’t end on 25th May 2018, it began. GDPR compliance is a journey. Even if you were compliant on 25th May 2018, you may no longer be compliant. Your systems, practices and procedures need continual review to ensure that the data you hold and process remains appropriate, necessary and secure. The regulator and your customers are becoming ever more alert to privacy control. - I have a privacy notice, I’m compliant
It is still a widespread belief that having an up-to-date privacy notice on your website equals compliance with GDPR. I’m afraid to say that this is just the start – along with paying your data protection fee to the ICO. You also need to put physical and cyber security measures in place, define policies and procedures around the handling of data in your organisation and train your staff in these, have processes in place for data breaches and subject access requests and ensure that the businesses you share data with are also compliant. And once you’ve done all of that, you need to make sure that all your data protection systems remain up-to-date and compliant over time as your team, the ways you work and the data you need change. - I’m not likely to have a breach
In the first 11 months after GDPR came into force, over 14,000 breaches were notified to the ICO. And according to a recent survey by the Department for Digital, Culture, Media & Sport, 32% of businesses identified cyber security breaches or attacks in the last 12 months. Bear in mind that cyber-attacks represent only 16% of data breaches and you start to understand the scale of the problem. It’s no wonder that in a recent mini survey we ran, over 80% of will writer respondents said a data breach was their biggest worry – their concern is well placed. The question is when rather than if you have a breach. - GDPR doesn’t matter because of Brexit
Whilst the EU GDPR would no longer apply in the UK after a no deal Brexit, the UK Government has taken steps to ensure that data protection still works from day one – by basically creating a UK GDPR. It has stated that ‘the fundamental principles, obligations and rights that organisations and data subjects have become familiar with will stay the same.’
How do you want your personal data looked after?
The best way to think of GDPR is in terms of how you would like your personal data looked after – let’s face it, none of us want to think about our contact details – or worse still, our credit card details – being left on a train, shared with another business without permission or in the hands of criminals. Aside from the personal benefit though, those who have undertaken the journey to GDPR compliance have found that their business is in better shape for it. Perhaps with British Airways in the back of your mind, now would be a good time to take the GDPR bull by the horns and get your business on the right side of the law and your clients?
Written by Gerard Fisher, Managing Director and GDPR practitioner, Astrid Data Protection
This article was submitted to be published by The Society of Will Writers as part of their advertising agreement with Today’s Wills and Probate. The views expressed in this article are those of the submitter and not those of Today’s Wills and Probate.
