Recent statements suggest that there is still work to be done when it comes to embedding GDPR into an organisations processes.
There is an assumption placed on all businesses that the data and information they collect should be used responsibly. Within financial services in particular, data is considered to be a core asset.
If there is a breach, then large fines and negative publicity can result. What is more, all-important consumer trust can quickly disappear, which can be even more damaging in the long run.
Many people are now well aware that their data must be held securely with the Information Commissioner, Elizabeth Denham, publishing in a recent blog that:
“One of the defining trends of the digital age has been a growing awareness of data protection rights. More people are becoming aware of the personal data that sits at the centre of so many of the online services we access, and realising their own rights with regard to that data.”
In its annual track survey, the ICO has looked at which aspects of data protection cause most concern, with cyber security ranking top, followed by children’s privacy and data sharing.
Ms Denham emphasised that overall, there was still work to be done with many firms still not fully committed to the “accountability aspects” of the General Data Protection Regulation. Earlier, in April, she said these should become “part of the cultural and fabric of an organisation”, with data professionals needing a broad skill-set to both educate and inspire their colleagues, including ability in:
- Legal as well as business analytics, able to understand how data protection fits with the vision of an organisation and where it can be imperative, positive and transformative.
- Coaching – working to build a network of ambassadors within the business who understand what needs to be done.
- Marketing – finding creative ways to get people to look up from their day jobs and realise they all need to buy-in.
The message here is for firms to employ the best talent and back up expertise with robust systems and processes. Arguably, many financial services firms have embedded GDPR well into their processes, but a lapse could prove devastating. As Ms Denham elaborates:
“Our enforcement work issuing fines or pulling back the curtain on hidden processing can often decrease trust and confidence in the short term, as people learn of poor data practice of which they had been previously unaware. That theory is supported in the survey showing the decrease in trust and confidence alongside an increase in people’s awareness of their data protection rights.”
Fortunately for financial services firms – but not for the companies concerned – others are currently in the ICO’s bad books. In July, British Airways was fined £183.39 million under the GDPR for a personal data breach which occurred in August 2018. Some 500,000 BA customers were compromised during the breach, which involved the diversion of user traffic from BA’s to a fake website. Compromised included names, email addresses and payment card details used during the booking process. The penalty was some 1.5% of BA’s global annual turnover in 2017 – the highest GDPR fine issued so far by a European
Union data protection regulator. Again, in July, hotel group Marriott was fined £99.2 million for a breach connected to its Starwood – a chain which it had acquired - reservation database system, and this impacted on around seven million records related to UK individuals.
The ICO stressed in both case the fines were below the GDPR thresholds of 4% of annual turnover or €20 million, because the companies had co-operated and acted to improve security. But the ICO is also showing its colours as a regulator that is primed and ready for enforcement action. One giant organisation which will be only too aware of this is Facebook, which is in the midst of preparing to launch its new crypto-currency, Libra. The ICO has said it has concerns about data sharing practices given Facebook’s earlier problems, and has asked for details on how financial information will be held securely.
Whether large or small, all organisations need to meet their data security obligations – and given the ICO’s recent track record, there is no time like the present to ensure this has the highest priority.
Find out what types of metrics you may want to consider measuring as part of a cyber risk programme.