EyeforTravel North America 2018

October 2018, Las Vegas

Understand how data, digital and partnerships can make your marketing work again

Privacy vs security: first fines reveal shift in data protection landscape

Thanks to internal training and better practices the transition to GDPR has been relatively smooth, but it is no time for complacency. Guest columnist Keith Dewey shares an update

Over two months since ‘GDPR Day’, most organisations are still successfully processing personal data, but travel companies beware. With regulation now enforceable, consumers more empowered and security – a small part of GDPR – becoming an increasing focus, the Information Commissioner’s Office is keen to show it has teeth. Since May, several fines have been levied against companies making everything from annoying sales calls to not being rigorous with privacy and security. While the ICO has not fined any companies under the EU GDPR or UK Data Protection Act 2018 yet (the breaches happened before May 25), the value of these fines does appear higher.

3 lessons from the past three months, and a case to watch

1. Strange outcomes

One strange outcome, which presumably their advisors will resolve this year, is the move by news websites across various parts of America to block EU traffic. With this in mind, the hope is that the European Parliaments’ vote on July 5 to suspend the EU-US Privacy Shield by September 1, ‘unless the US is fully compliant’ will not require temporary data protection safeguards to be deployed for data shared with US. And, of course, there are also unnecessary adverse consequences on macroeconomics to avoid, as the UK continues to battle with trade wars and Brexit.

2. Shifts in focus

There has been a gradual shift in focus from ‘privacy controls’, such as the consent forms, privacy notices and broader usage of data to ‘security controls’, and the murky realms of firewalls, access control and endless, endless acronyms (SIEM, APT, NIST, IDS, IPS, DDoS, DLP, GRC, etc). This shift is because security is a small part of the GDPR and only covered at a high level. At the same time, security is a very broad and deep specialism.

There has been a gradual shift in focus from ‘privacy controls’…to ‘security controls’

This conflict made it difficult for many GDPR project teams to understand specific requirements when working through the GDPR.  However, security breaches have historically accounted for a lot of fines. The recent ICO ‘breach notification’ webinar also highlighted the importance from their perspective. An increasing number of organisations are realising they may need to do more to demonstrate appropriate security. While this may not be welcomed, it is certainly important to protect data subjects from fraud and harm.

3. Internal training and an ICO with teeth

Since May, the ICO have reported a significant increase in security breach notifications; from under 400 cases in March to nearly 1,800 cases in June. On the positive front, internal training and awareness campaigns have helped to increase the number of breaches being reported within companies. Firms also recognise the increased risk from cases that are not quickly reported. Many of the breaches are as simple as an email with personal data being sent to the wrong person – too easy to do, with most companies being reliant on a weak human control.

While the ICO has not fined any companies under the EU GDPR or UK Data Protection Act 2018, yet, the value of fines does appear higher.

As useful examples of ‘bad practice’, we typically group the recent fines into three categories:

Marketing (PECR)

  • £100,000 fine for AMS marketing (1/8/18), for over 75,000 sales calls without checking the Telephone Preference Service (TPS) register. A popular cause of fines.
  • £60,000 fine for STS Commercial Ltd (6/7/18) after sending ‘spam texts’ (aka ‘unsolicited direct marketing’) to more than 270,000 people without their consent.

Data Security

  • £200,000 fine for ‘Independent Inquiry into Child Sexual Abuse’ (IICSA) (18/7/18) for revealing the names of victims in a mass email.

Data Usage

  • £140,000 fine for Lifecycle Marketing (Mother and Baby) Ltd (9/8/18), also known as Emma’s Diary, for illegally selling over a million personal data records to Experian. New mums experienced a very different kind of labour, as data was shared with the political party before the 2017 election.
  • £2,000 fine for Noble Design and Build of Telford (3/7/18) having failed to respond to an ICO information request regarding the use of CCTV cameras.
  • £500,000 fine being considered for Facebook, after failing to safeguard data that was used for political campaign work by Cambridge Analytica. This would still be one of Facebook’s lowest recent fines, as the company and share price is battered across Europe.

One to watch: Dixons Carphone PLC

The Dixons Carphone (DC) breach is being closely watched. On June 13, 19 days after GDPR/DPA went live, DC ‘admitted a huge data breach’ involving 5.9 million payment cards and 1.2 million personal data records. The amount of payment card data available, per record, should be limited under the Payment Card Industry Data Security Standards (PCI-DSS) and ‘Chip and PIN’ (EMV). On July 31, an ICO spokesperson confirmed a ‘significantly higher’ figure of 10 million personal records. This type of data is often used in Phishing attacks against consumers, who may unwittingly leak further information that can be used to perpetrate fraud. In a stark warning for all companies, the breach had a visible effect on the share price.

All this comes just months after the ICO fined Carphone Warehouse £400,000, for a loss of data confidentiality in 2015. A third party, who was processing their data, suffered ‘rudimentary security failures’. There are some good write-ups of which security controls were required but had not worked effectively. It remains to be seen now whether the ICO can act faster with Dixons to show it that it not only has teeth but that they are sharp.

In the mean time, given that nothing is ever 100% secure, leadership teams should prepare for when, not if, a breach occurs.

Keith Dewey is a GDPR and cybersecurity whizz with expertise in both security and privacy. His views are his own. 

Related Reads

comments powered by Disqus