Meanwhile down at the ICO… 15%
30%
5%
“Increase in Data Protection complaints”
“Increase in SelfReported breaches”
“Increase in Freedom of Information complaints”
“Huge increase in in telephone, live chat and written queries from the public and organisations resulting in….”
“…new telephone services for small organisations and for self reported breaches”
Sources: ICO Annual Report 2017-2018
Sources: ICO Annual Report 2017-2018
“Monetary penalties given for breaches of electronic marketing laws relating to nuisance calls and spam text messages across 26 cases” Sources: ICO Annual Report 2017-2018
“for 11 fines for serious security failures under the Data Protection Act 1998”
£138k
Sources: ICO Annual Report 2017-2018
Sources: ICO Annual Report 2017-2018
“More calls than the previous quarter”
Sources: ICO Annual Report 2017-2018
Sources: ICO Annual Report 2017-2018
“Of hard-fought-for donations was spent on fines for unlawfully processing personal data”
30,000 £80k Sources: ICO Annual Report 2017-2018
“More cases closed than any previous year!”
Sources: ICO Annual Report 2017-2018
£3.28m £1.29m
“Fine was issued to a data broking organisation” Sources: ICO Annual Report 2017-2018
Sources: ICO Annual Report 2017-2018
“19 criminal prosecutions resulting in 18 convictions” Sources: ICO Annual Report 2017-2018
Copyright © Sphere Data Protection Limited. All rights reserved. Registered in England and Wales under Company Number 11034070
GDPR compliance: an uncomfortable truth Did you notice how quiet it went on 26th May? The GDPR enforcement date came and went on the 25th May 2018 and for the most part, most businesses can be forgiven for thinking that absolutely nothing changed! Businesses did not hear the ominous knock of the ICO’s Enforcement Officers at their doors - companies who had yet to start thinking seriously about the implications of GDPR (and the Data Protection Act 2018) seemed to breathe a collective sigh of relief and went back to doing what they had been doing before (except of course for the manic flurry of marketing re-consent emails). The collective response from many organisations was relief, especially SMEs who understandably have been more vocal about lack of resources to implement GDPR compliance. From others the response has been more muted, and we have also witnessed outright scoffing from some businesses feeling vindicated in ignoring the whole thing. But this is a sleeping giant for many; those of us who work in the data privacy field worry about so many organisations willing to continue ignoring data protection law. For many, reluctance stems from the realisation that they have two
18
INSPIRE
decades of catching up to do to get to even a baseline of data compliance. Business owners see this as an enormous effort of precious time and resources, on the chance that the eye of the ICO might swing their way – this appetite for risk is largely uninformed, and potentially harmful to businesses, especially in a struggling economy as we face the uncertainties of Brexit. The fact remains that data protection has had very little coverage from the authorities and few examples of holding lawbreakers to account, making the law ineffectual and toothless in the past. That is partly why data protection law has been upgraded. Enforcement will follow, eventually or swiftly, and the work required to comply with legislation will be a slow and never-ending journey for many organisations; industry isn’t static, and it cannot avoid the changing landscape of economy, technology and culture. Compliance with any piece of legislation is always an ongoing maintenance matter: consider how employment and health and safety legislation has been around for even longer in the UK, and yet we still see companies breaking these laws on a daily basis, largely through ignorance.
The ICO have been busy investigating data breaches, conducting audits, and issuing decisions, enforcement notices and fines. Non-compliance occurs across companies of every size, and there have even been some notable instances of individuals being prosecuted. Make no mistake, the ICO is showing its teeth and demonstrating their bite where it hurts. Consider how even a low level fine of a few thousand pounds, combined with an enforcement order to make business changes, and negative press could devastate a small business. The ICO regularly announce who they’re investigating and why. Take a look at their ‘Action we’ve taken’ page; the list grows weekly, and there’s a broad range of companies and breaches. Thoughtful reading for the complacent. Big names in the news (BT, Dixons Carphone, Emma’s Diary, Superdrug, the RSPCA and NHS Surrey to name a few) are the tip of a very large iceberg. Only c.13,000 (<1%) of the UK’s 5.7million registered companies are ‘large’, meaning statistically the remaining 99% are SMEs who will continue to feature as a majority in investigations, complaints and punitive action. Whilst relatively few businesses have yet had dealings with the ICO, many are unwittingly falling foul of data breaches, bringing them into the increasingly sharp focus of their customers. How many can say with certainty they know their legitimate grounds for marketing well enough to avoid spamming customers, that their IT security is fully compliant, they
can prove due diligence on all 3rd party personal data sharing, and know if they need to register as a data processor with the ICO? If any of these questions make you uncomfortable it’s time to address them, before an uncomfortable feeling becomes a breach-of-law reality. Most data breaches occur in ignorance, or through poor business behaviours and lax security measures. It’s important that organisations know how to apply the principles of data protection and privacy into their everyday operations – this means staff awareness and training is key, sponsored and driven from the top. Because, as any CEO knows, weathering a fine is one thing, but a blow to reputation can be fatal; the resulting loss of trust from customers and partners is far harder to recover from. Sphere Data Protection are a Hertfordshire consultancy who specialise in helping SMEs understand how data protection and privacy law applies in practical terms. They provide a range of services to suit all budgets – visit www.spheredataprotection.com to find out more.
01727 375 078
info@spheredataprotection.com www.spheredataprotection.com