Data protection is a major concern for organisations large and small. Recent announcements by the UK data protection authority, the ICO (Information Commissioner’s Office), of significant penalties for British Airways (more than £183 million) and Marriott (more than £99 million) for breaches of the GDPR (General Data Protection Regulation) make it clear that the days of light-touch enforcement are over.
Discussing the BA fine, Elizabeth Denham, the Information Commissioner, said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
In the wake of the ICO’s announcements, many organisations are undoubtedly reviewing their data protection practices, hoping to assure stakeholders that they are not vulnerable to similar data breaches. Such reviews, however, often focus on information security measures – protecting the confidentiality, integrity and availability of personal data. While information security plays a key role in protecting sensitive personal and commercial data, data protection means more than firewalls and strong passwords – it also means protecting the rights and freedoms of the data subjects who trust you with their information.
For example, under the GDPR, if your organisation plans to process data in a manner that could result in a high risk to data subjects, you must conduct a DPIA (data protection impact assessment).
DPIAs are meant to protect data subjects and are only concerned with risks that affect them. If the DPIA finds an unacceptable level of risk, that risk must be mitigated before the processing can go ahead, even if it means a delay to your project. If you can’t reduce the risk, you must consult your supervisory authority before the processing begins.
This may seem burdensome, but DPIAs are a key defence against misuse of personal data – and they don’t have to be a painful process. No organisation is truly immune to data breaches, but properly conducting DPIAs and taking actions to reduce risks to data subjects demonstrate to supervisory authorities that you have taken a thorough and considered approach to privacy risk management.
Effective data protection also requires a full understanding of the data you hold. While the effort necessary to develop comprehensive data flow maps may seem daunting, it’s essential to know where data enters and leaves your organisation, where and how it is stored, and what the data is used for. Without a clear picture of the data, responding to DSARs (data subject access requests) within the one calendar month limit, or ensuring that data processing stops after a data subject has objected, can be a major challenge.
Breaches of the GDPR can attract penalties up to €20 million (£18 million) or 4% of an organisation’s annual turnover, whichever is greater, so it’s critical that your data protection practices are up to scratch.
How Vigilant Software can help
Our easy-to-integrate, Cloud-based data privacy tools include the Data Flow Mapping Tool, the DPIA Tool and GDPR Manager. They help you identify and map the data flowing in and out of your organisation, easily handle DSARs, and manage all your GDPR activities in line with international best practice.