By JP Buckley
The ICO continues to undertake enforcement action under the previous Data Protection Act 1998. It applies where the breach was before 25 May 2018, when the GDPR and Data Protection Act 2018 came into force. We have seen from recent enforcement action that the trends continue… data protection and security is not being taken as seriously as it needs to be. We’ve seen Heathrow Airport and its unencrypted memory stick with personal details and airport security details (and hence a fine of £120,000) and Bupa Insurance’s systems being able to be used by a staff member to extract hundreds of thousands of customer details which was then placed for sale on the dark web (and then a fine of £175,000). Along with that comes the cost of dealing with the issues when they were found out and the reputational damage. Key takeaways are: secure data when in transit (but don’t be so prescriptive that people try and get round the rules, so causing greater risk) and ensure database access is proportionate and monitored – check for unusual activity / large downloads.
Whilst we can diligently help deal with any data breach scenario which may need to be reported quickly to regulators, contract parties and/or individuals, we would rather help prevent that being the case in the first place. Why not take one of our mock breach scenario training sessions, to test the resilience of your operational processes and practices? Or have a review of your compliance approach and key risk areas?