183 million reasons to implement a Privacy Compliance Programme
By Chris in GDPR
Today the rubber hit the road, with British Airways being fined a record £183 million by the ICO for its failure to safeguard its customers’ personal data as required under the GDPR. For many companies trafficking in personal data, GDPR compliance has been undertaken with either a “let’s do the bare minimum” or a “let’s wait and see” approach. At the C-suite level, compliance is, more often than not, still the last item on a busy meeting’s agenda. The “expert” forecast (dare we say myth) that a regulator would be unlikely to levy a fine in excess of £3 million for non-compliance with the GDPR, which allows for a fine of the larger of EUR 20 million or 4% of annual global turnover, has been debunked. The expectations around a company’s use and protection of their customer’s personal data are real, and privacy compliance needs to be a central tenet in the operations of all customer-facing businesses.
Do you have a clearly defined and credible privacy compliance programme? Does your risk-register note your areas of privacy risk and remediation efforts? Privacy compliance is a journey not a destination and the regulator will in all cases expect to see proof of that journey. As they have demonstrated via their handling of the BA breach, full cooperation will be helpful as will the ability to demonstrate the steps taken towards compliance – BA could have been fined as much as £500 million based on their turnover. While organisations have done an excellent job of updating privacy policies and creating dedicated routes to administer subject access rights, they haven’t placed equal weight on the “behind the scenes” activities that are also required. While reflecting on today’s news, it is a good opportunity to revisit these “behind the scenes” activities and to consider commissioning a data audit and pen testing for your online estate.
For a discussion on how our team can support your compliance efforts including defining your privacy compliance programme and conducting your data audits, you can contact us directly at email@example.com or firstname.lastname@example.org.