GDPR has transformed the way in which companies can handle customer data.
Do you find it frustrating to have to constantly ‘opt-in’ to websites when browsing the internet? You have GDPR to thank for that. But it isn’t all an irksome tick-box exercise. Essentially, it boils down to putting control of data back into the hands of clients, customers and employees and putting greater responsibility on businesses and individuals that process that data to show they're looking after it - and that they know what to do if security is breached.
Fines are huge, too. within the first year over 200,000 cases were reported, with fines topping a massive £56million. At the upper limit, firms can be fined four per cent of their global turnover.
One of those counting the cost of GDPR is British Airways, which was today fined a massive £183million penalty after more than 380,000 customers faced stolen data issues – The Mirror reported.
For more than two weeks in 2018, cyber criminals were able to access the information of any customers that used the British Airways website and harvest the data – putting BA in breach of security and GDPR rules.
"We are surprised and disappointed in this initial finding from the ICO,” British Airways Chief Executive Alex Cruz told the Mirror. "British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused," he added.
Yet Information Commissioner Elizabeth Denham argued that the ruling was completely fair, given the severity of the breach. Denham stated that companies processing customer data are trusted to keep it safe and that when this doesn’t happen, measures must be taken.
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience,” she said.
"That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,” Denham added.
Who is responsible for GDPR?
During a recent webinar, Alan Calder, Founder & Executive Chair of IT Governance, pointed out that GDPR must be applied with the same approach given to health and safety. Accountability starts with the Board, who should ensure the firm is on the corporate risk register, and the Board should nominate responsibility to a director to apply GDPR.
Sarah Williamson, Partner at law firm, Boyes Turner, added that all employees should be trained and aware of GDPR and that the Board should determine who in a department will be involved in compliance. “The responsibility can be assigned to one person within each department, or a team depending on the organisation,” she explained.
“It varies across each function, the volume of data processing within an organisation and the sensitivity of that data. Some may just need one person in charge, whereas firms that process a lot of personal data will need a much bigger team. Either way, they must be trained. Data protection affects all parts of an organisation and will need to be a regular Board agenda, as well as departmental.”
