However your business is likely to be affected by Brexit, Arron Banks may just have helped you out.
How? By drawing attention to the myriad responsibilities organisations have to protect users’ personal data – and the hefty fines they risk incurring if they don’t take it seriously. Leave.EU and an insurance company owned by Arron Banks have been fined a total of £135,000 following an Information Commissioner’s Office (ICO) investigation into the misuse of personal data.
The ICO said that it was ‘the most complex data protection investigation’ it ever carried out, and that the case demonstrated a ‘disturbing disregard for voters’ personal privacy’.
What actually happened? £120,000 of the fine – £60,000 for each organisation – was due to emails that breached data laws, with over a million sent to subscribers without their consent. A separate £15,000 fine was imposed for a Leave.EU newsletter being sent to more than 319,000 email addresses on the insurance business’s database.
And this is the key point. This six-figure sum was imposed not as a result of malicious activity, active theft of personal data, or even human error leading to personal data being compromised. It was very simply that Leave.EU and Eldon Insurance did not follow proper procedure with regard to what the individuals on their database had signed up for.
Banks’ own statement – ‘we may have accidentally sent a newsletter to customers’ – shows a shockingly dismissive attitude to what has taken place. Sure, the two organisations didn’t leave a memory stick full of personal data on a train for anyone to pick up. They didn’t fail to upgrade or patch their cybersecurity solutions for years on end, leaving an open door for malicious hackers to walk in and start harvesting information. But they did show a wilful disregard for careful processing of personal data, and legal and regulatory frameworks are increasingly strict with regard to such matters.
The onus is on you
The introduction of the EU’s General Data Protection Regulation (GDPR) in May of this year placed the onus firmly on organisations processing personal data to adequately protect that information. They need proper processes and protections in place to secure such data, and to ensure that privacy is implemented by design. Data breaches need to be reported within a set time frame; the days of organisations being able to sweep breaches under the carpet and deal with them quietly have passed.
We should be thankful, then, for cases like that of Arron Banks – not only for being big enough to garner press attention – but for reminding us all of the need for thorough understanding of how data is processed within our organisations. It is no longer enough to have disparate databases of customer details, protected with a few rudimentary security tools. Now, organisations need to have a comprehensive understanding of how information flows within their infrastructures, and of how those flows relate to all relevant legal and regulatory frameworks.
Our Data Flow Mapping Tool is designed to help organisations to understand how information flows throughout your organisation, and therefore to embed data protection by design, one of the key requirements of GDPR. Likewise, our Compliance Manager tool enables businesses to get all their statutory and legal requirements in one place and complete an ISO 27001 risk assessment smoothly and efficiently.
For advice on how you can get peace of mind with your information security and compliance, please contact us.