The ICO have stated they intend to fine hotel group Marriott £99.2 million for a data breach that exposed the personal details of about 339 million guests. (more…)
So, those of us who warned how profoundly dangerous a GDPR fine could be for businesses two years ago weren’t wrong – we were among the very first to recognise the implications and it’s now clear that the game has changed and if either your GDPR compliance, or cybersecurity, are compromised it can bankrupt your business. The first major GDPR fine – £183 Million – yes you read that right – is now public. Contact [email protected] for quick, comprehensive guidance. (more…)
The rules of GDPR for small businesses is the same as for bigger corporations. Yet it’s been reported that many small businesses still don’t understand GDPR, seven months after it came into effect. Of the 1000 questioned for a new survey, half admitted that they didn’t understand the rules brought in on May 25th, despite the possible consequences. Keep in mind this could potentially be up to €20 million – per data breach.
There were many shocking statistics to come out of the survey. A few to particularly take note of:
- 60% of small businesses didn’t know that the Information Commissioner’s Office should be notified if a data breach occurs. In addition, half didn’t know that the affected individuals should also be notified.
- 25% allowed employees to use their own phones, computers etc. for work without making sure the data was encrypted. No matter how secure the data was in the workplace, it therefore wasn’t sufficiently protected.
- Many paper records are not being disposed of securely. More than half were not disposing of customer records properly, and the same was true of staff records in 71% of cases.
- A quarter had used details from real case studies in training materials, effectively handing out private information to their employees.
You can read the full details of the survey by clicking here.
Being unaware of the requirements under GDPR for small businesses, these companies are putting their customers and themselves at risk. It’s vital that everyone knows their obligations regarding data protection under the new laws, but many still don’t.
Activa Consulting can provide extensive GDPR gap analysis to ensure that your company is compliant with GDPR. We also offer services designed to protect you from data breaches such as GDPR staff training, which will prevent simple lapses that could lead to massive fines.
So contact us today to give your organisation the best chance of being GDPR compliant!
Under the rules of GDPR, a data breach can occur because of any member of staff. A lapse from an employee can result in a heavy fine – €20 million or 4% of annual global turnover. This makes GDPR training an absolute necessity. It’s therefore surprising that a recent poll conducted by Fellowes has found that 17% of workers still haven’t received a GDPR policy from their company.
This is a huge and unnecessary risk for a firm to take, but it gets even worse. 54% of the 1000 UK workers polled have seen confidential data they shouldn’t have, and 33% of them admitted to leaving personal data unattended – with 14% having left confidential material in a public space.
These kind of slip ups could easily result in a data breach. Yet it would seem that despite the punishing fines under the rules of GDPR noncompliance, among many companies the issue isn’t treated seriously enough. 17% of workers said they would be challenged more over lateness than GDPR compliance.
GDPR training for employees is a vital way of ensuring data protection. If a breach can happen from anywhere in an organisation, from any employee, it’s important that everyone be kept up to date on their individual responsibilities – and it’s clear from this poll that this isn’t happening in many places. 10% of workers didn’t even know who was responsible for GDPR compliance in the workplace!
Even if a data breach does occur, it’s worth remembering that staff training will likely reduce the resulting fines. Preparedness and an effective response to data breaches would be taken into account by the ICO.
Our GDPR training services can help ensure that your company remains compliant with data protection laws. We will help you reduce the breaches and fines by providing in-person training to your staff, covering anything from the basics of GDPR up to advanced data protection regulations, improving their confidence and capabilities in handling personal data.
The first GDPR notice in the United Kingdom has been issued to AggregateIQ Data Services. The Canadian firm was linked to the Facebook-Cambridge Analytica Scandal earlier this year, providing tools involved used in data analytics for political campaigns. Having caught the attention of the Information Commissioner’s Office, it has now run into trouble for failing to comply with GDPR.
The ICO has served this notice in connection to EU citizen data being held by AIQ. Because the data involved – including names and email addresses – is being stored for political purposes and without the users’ consents, there is no lawful basis for AIQ to process it.
Take a look at the full story about the UK’s first GDPR notice here: https://www.zdnet.com/article/uk-issues-first-ever-gdpr-notice-in-connection-to-facebook-data-scandal/
There are several important things to note about this, illustrating the dangers of not being fully aware of GDPR and its implications…
- AIQ may be based outside of the UK, but this doesn’t protect it. This is because, in the words of the ICO, “AIQ’s processing of personal data is said to relate to monitoring of data subjects’ behaviour taking place within the European Union”.
- For its role in the Cambridge Analytica scandal in March, Facebook was fined £500,000 under the terms of the Data Protection Act 1998. However, the notice issued to AIQ still comes under GDPR, even though the data it is processing relates to the same scandal. This is because AIQ didn’t tell the ICO it still held EU citizen data until May, when GDPR came into effect.
- The issue for AIQ is that there’s no legal basis for them to hold this data. The ICO states: “The controller [AIQ] has failed to comply [with GDPR]. This is because the controller has processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing.”
- While the GDPR notice has only recently come to the attention of the public, it was originally issued in July. The ICO demanded that AIQ “cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.”
- AIQ had only thirty days to comply with this demand. Considering that the Cambridge Analytica scandal hit 87 million users, and that the firm provides software and tools for managing data for political purposes, this is a huge job to perform in such a short space of time.
It should be noted that AIQ has the right to appeal – and is exercising that right. However, if its appeal is rejected, it will face fines of up to €2 million or 4% of its annual global turnover, whichever is higher – and that is per data breach…
For our help and support with your own GDPR awareness and compliance programme, use the Contact Form on the right to get in touch today.
We’ve been delivering many urgent project management and staff training projects recently, to companies that just need “GDPR compliance now” – so much so that we’ve not had time for our usual blogging and marketing activity lately. We’ve written this article to consider where companies and organisations are really at in their GDPR compliance programmes now and what we’d recommend that companies do next. (more…)