Since the coming into force of the General Data Protection Regulation (GDPR) on 25 May 2018 there have been a number of high profile data breaches reported in the press. We have had British Airways, Air Canada, Facebook (twice), Dixons Carphone, Equifax and the Conservative Party. Some of these breaches are covered by the law in place prior to the GDPR and some will be covered by the GDPR itself. We thought it would be interesting to see whether there are any common themes emerging from these breaches which could prove useful to for other organisations.
What is the point of the GDPR?
With all the noise about data breaches, marketing preferences and online ad targeting, we risk losing sight of what the GDPR is all about. The aim of the GDPR is to better protect the personal information of individuals. It is safeguarding a fundamental right. If the reporting of these data breaches leads to all our personal information being safer then that is a good thing.
Why all these data breaches all of a sudden?
Some of these breaches occurred some time ago and are only just being reported, or fines in respect of them are only just being levied. However, the new requirement to report significant breaches to the regulator within 72 hours has certainly resulted in breaches being reported quickly. These breaches hit the news quickly after a press release is sent out from the regulator.
Do these data breaches have anything in common?
All the breaches mentioned in the first paragraph were caused by hacks (apart from the one involving the Conservative Party which would appear to have been caused by simple incompetence). However, we should not be quick to conclude that most data breaches are caused by hacks because they are not. The cases that have reached the press all involve large companies with lots of personal information that is likely to be extremely valuable to cybercriminals. Such specific reasons for targeting do not apply to most companies.
The ICO said recently that only one out of five data breaches reported to them since 25 May 2018 was the result of a cyber event. And there have been a lot of breaches reported – there were almost 1800 in June alone. The ICO has not said what has caused the other four out of five breaches, but my experience would suggest that in most of those cases human error was a major contributory factor.
Another interesting thing to note is that in three of the cases that hit the press, the source of the breach was not the company in the headlines. The source of the breach was a third party that was processing personal data on behalf of the company investigated or fined. In the Equifax case, the company that failed to adequately protect personal data was a US parent company. In the first Facebook case, it was Cambridge Analytica. In the Conservative Party’s case, it appears to have been an app developer. This just shows the importance of ensuring not only that personal data is protected in your own environment, but also in the environments of those you share it with.
What should organisations do?
Organisations need to recognise, if they haven’t already, that protecting personal information has great value. Not only may the personal information itself be valuable, but there is considerable worth in protecting it. Organisations that do not protect personal information risk data breaches, bad publicity, fines and customers choosing to move to organisations that they feel they can trust more.
The answer is a compliance programme that makes everyone in an organisation responsible for data protection compliance. Everyone in your organisation understands needs to understand what privacy is and what they can do to help. You then adopt a compliance programme which brings that to life in a practical and sustainable way.
If you would like to see what that looks like, feel free to talk to us at The Privacy Compliance Hub. Explore the rest of our GDPR resources for more expert advice.