183 mil­lion rea­sons to imple­ment a Pri­va­cy Com­pli­ance Programme

Today the rub­ber hit the road, with British Air­ways being fined a record £183 mil­lion by the ICO for its fail­ure to safe­guard its cus­tomers’ per­son­al data as required under the GDPR. For many com­pa­nies traf­fick­ing in per­son­al data, GDPR com­pli­ance has been under­tak­en with either a ​“let’s do the bare min­i­mum” or a ​“let’s wait and see” approach. At the C‑suite lev­el, com­pli­ance is, more often than not, still the last item on a busy meeting’s agen­da. The ​“expert” fore­cast (dare we say myth) that a reg­u­la­tor would be unlike­ly to levy a fine in excess of £3 mil­lion for non-com­pli­ance with the GDPR, which allows for a fine of the larg­er of EUR 20 mil­lion or 4% of annu­al glob­al turnover, has been debunked. The expec­ta­tions around a company’s use and pro­tec­tion of their customer’s per­son­al data are real, and pri­va­cy com­pli­ance needs to be a cen­tral tenet in the oper­a­tions of all cus­tomer-fac­ing businesses.

Do you have a clear­ly defined and cred­i­ble pri­va­cy com­pli­ance pro­gramme? Does your risk-reg­is­ter note your areas of pri­va­cy risk and reme­di­a­tion efforts? Pri­va­cy com­pli­ance is a jour­ney not a des­ti­na­tion and the reg­u­la­tor will in all cas­es expect to see proof of that jour­ney. As they have demon­strat­ed via their han­dling of the BA breach, full coop­er­a­tion will be help­ful as will the abil­i­ty to demon­strate the steps tak­en towards com­pli­ance – BA could have been fined as much as £500 mil­lion based on their turnover. While organ­i­sa­tions have done an excel­lent job of updat­ing pri­va­cy poli­cies and cre­at­ing ded­i­cat­ed routes to admin­is­ter sub­ject access rights, they haven’t placed equal weight on the ​“behind the scenes” activ­i­ties that are also required. While reflect­ing on today’s news, it is a good oppor­tu­ni­ty to revis­it these ​“behind the scenes” activ­i­ties and to con­sid­er com­mis­sion­ing a data audit and pen test­ing for your online estate.

For a dis­cus­sion on how our team can sup­port your com­pli­ance efforts includ­ing defin­ing your pri­va­cy com­pli­ance pro­gramme and con­duct­ing your data audits, you can con­tact us direct­ly at chris@​lexsolutions.​com or manu@​lexsolutions.​com.

8 Jul