Ouch! The potential cost of cyber security breaches and GDPR non-compliance. Jenny Parsons, ProTech’s CEO, gives her personal view
If there are any senior executives within NFPs, membership organisations or associations who have yet to be convinced of the threat cyber security breaches pose to us all, they must have had their heads in the sand for a very long time. Surely there isn’t a ‘desert’ anywhere that didn’t receive news of Wannacry and the more recent ransomware cyber security attack, both hitting computers across the world.
The example of Wonga, which in April warned 245,000 of its UK customers and 25,000 customers in Poland that they should be vigilant after a serious data breach, should have been another warning in an ever-increasing list. ComputerWeekly.com’s Security Editor, Warwick Ashford wrote that the breach ‘may have exposed personal details’ including some financial information, and that it could be the UK’s biggest data breach to date.
Short-term loan firm Wonga, emphasised that customers’ full card details were not at risk however even incomplete sets of financial data can put affected customers at risk of financial loss, according to some security experts. Should the personal data breach at Wonga be confirmed then the Information Commissioners’ Office (ICO) will take a close look to determine if the company had taken adequate precautions to keep its customer data safe.
Wonga must be slightly concerned that it may suffer the same fate as TalkTalk. Remember the ICO fined TalkTalk a record £400,000 for having failed to apply ‘the most basic cyber security measures’. There is no question that £400,000 is a lot of money, but it pales into significance when compared with the cost of possible fines from noncompliance of the EU General Data Protection Regulation (GDPR). Fines could be as high as €20 million or up to 4% of global turnover. Eye watering sums indeed.
Yet, according to Ben Rossi of Information Age, 1 in 4 UK businesses have cancelled preparations for GDPR. Yes, that’s right cancelled and do you know why? Because they think that Brexit means they will not have to comply with GDPR. That could be a catastrophic mistake. This is even more worrying than senior executives having their head in the sand, as these IT decision makers have looked at GDPR and misunderstood what it means.
GDPR has been talked about since 2012 and is ‘designed to harmonise data protection regulation throughout Europe and provide citizens with more control over their personal data’. Ratified in April 2016, all UK companies have until May 2018 to comply which crucially, is ten months before we exit the EU.
A survey conducted by information management firm, Crown Records Management, across IT decision makers within UK companies, reveals that 24% are no longer preparing for GDPR and 4% have not even begun to prepare for compliance. Bizarrely, 4% believed that GDPR will not apply to UK businesses after Brexit. Once we have exited the EU the UK will no longer be a signatory to the regulation but GDPR will still apply to those organisations which hold or handle the personal information of European citizens.
You only have to think about how many EU citizens currently live and work in the UK and it’s suddenly not hard to imagine how many businesses will need to comply. There is some good news from the survey, seven out of ten businesses with more than 100 employees have already appointed a data protection officer, a requirement of GDPR, 50% have introduced staff training and encouragingly, 72% have reviewed data protection policies.
As an NFP, membership organisation or association ensuring the safety of your members’ data has never been so important. A good place to start is by working with a CRM provider, such as ProTech, who has worked with an independent Government certified (CHECK) organisation and whose specialist CRM and digital solution has been successfully penetration tested to meet the security requirements for Government ‘OFFICIAL’ (http://www.protech.co.uk/news/protech-announces-crm-security-accreditation/ ) security accreditation. From a GDPR perspective ProTech’s digital platform ProWeb, enables our clients’ members to provide informed consent to data collection and processing as part of their registration process.
This ensures that members’ preferences are automatically updated by our specialist CRM software, Pro9, so that our clients only hold and process data where informed consent has been provided. We are also in the process of enhancing Pro9’s data archiving and deletion capabilities to make it easier for our clients to forensically remove data where consent has been withdrawn.
Crucially, Pro9 provides our clients with a ‘subject access request’ workflow which automates the processing of the legal requirement to provide your customer (members) with visibility of all of the data you hold about them, currently within 40 days. Pro9 monitors the number of days within which our clients need to respond to a request and provides a standard format for the response. They have visibility as to whether the legal requirement has been met or whether the request has been escalated and the legal requirement may be breached. Although our clients can delete entire records to comply with a member’s ‘right to be forgotten’, ProTech has worked to ensure the integrity of reports they may run which draw on historical data. Cyber security attacks are increasing and data protection regulations between the UK and Europe are not going to disappear into thin air after Brexit – so make sure you are protected from hugely damaging data breaches and hugely expensive fines resulting from GDPR non-compliance.
Jenny Parsons, ProTech CEO