As GDPR bites what are the lessons for organisations?

On the 8th July, the UK Information Commissioners Office (ICO) issued a notice of its intent to fine British Airways (BA) ￡183.39M and followed on swiftly on the 9th July with a similar notice to Marriott International warning of a ￡99.2M fine. Surely, It cannot be a coincidence that these two very high profile notices were issued in consecutive days, each making headline news. These warnings are surely intended to indicate a firm stance from the ICO in enforcing GDPR in the UK, and indeed, where breaches have occurred imposing fines which whilst not to the maximum allowable, 4% of global turnover as allowed by the regulation, are very stiff indeed. Previously, the biggest fines had been ￡500k to Equifax and Facebook, or ￡400k to Carphone Warehouse.

The BA and Marriott cases both relate to incidents of criminality where the organisation’s systems were breached and data was stolen. However, when commenting upon the cases mentioned above the ICO have made it clear that no matter what the cause of the breach the organisation is responsible and accountable for the private data of citizens that they hold.

Information Commissioner Elizabeth Denham said: "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.

"That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

I had an issue recently myself where I was involved with a complaint to a UK ombudsman. As part of the investigation, I had supplied them with significant amounts of personal data, including bank statements, passport data, and other significant PII. Towards the end of the case, after they had found in my favour, I received an email from them informing me that they had ‘accidentally’ emailed my information ‘bundle’ to a 3rd party. I was incredulous, how could this possibly happen? I returned their email with a series of questions, pointing out the serious breach of GDPR and asking if they had reported the loss of my information as required by law. I did receive back a full explanation, and their procedures for dealing with a breach seemed robust. But what had caused the incident? It was a simple human error; someone had not followed company procedure and had sent the information by mistake.

Now it is clear that this was a clear GDPR breach and negligence is not a satisfactory defence under the law - although I did let the matter rest personally. My recent work with Microsoft 365 and in particular Office 365 has been to examine the processes and procedures that an organisation may have, or require. These policies may emanate from HR, IT, Compliance or any other number of departments. Once we are sure that the required procedures are in place we then codify them within the Microsoft 365 technology set. The breach that I had personal experience of need not have happened if simple technology protections had been in place to codify and enforce existing comprehensive written policies. Similarly, the recent news around the UK Ambassador to the USA where a leaked email has caused embarrassment need not have happened with simple technology rules backing up what surely must be policy (Not to send sensitive information to the press!).

Consultancy on Process and Governance is something that takes a detailed understanding of the technology platform, together with a detailed understanding of the organisation’s processes, procedures and relevant regulation and law. Having worked at Microsoft for 16 years and with Office 365 and Microsoft 365 since launch, combined with qualifications in Change Management and a lifetime in consultancy, Malcolm Bullock is well positioned to provide this guidance. Email to start a conversation about your organisation [email protected].

Originally posted to https://thinkingchange.eu/as-gdpr-bites-what-are-the-lessons-for-organisations/