GDPR – 12 months on

As GDPR and the UK Data Protection Act mark their 1^st anniversaries this month, we thought it would be useful to reflect on what we’ve seen over the last 12 months, and to share some views on what will happen in the next 12 months.

It’s just another Year 2000 … what was all the fuss about ?

These are words that we hear so frequently. We’re old enough to remember the 1^st January 2000, when the world still carried on pretty much as it had done on the 31^st December 1999 and it’s true, the world didn’t come to an end on the 25^th May 2018.

But behind the headlines of last year’s scorching summer, mixed success in football tournaments and the ongoing saga of Brexit, a lot’s been happening. The ICO has seen their case load increase form 17,000 cases to a staggering 42,000; the number of breaches reported each week is approximately 500; and 900 related penalties have been issued. A case prosecuted by the ICO led to a first custodial sentence. Cyber attacks have grown (figures vary as we don’t report often enough but some believe that this is as high as a 140% increase on previous years).

Further afield, supervisory bodies in Europe have issued multi million euro fines to large organisations

Closer to home, we’ve helped customers navigate through subject access requests, we’ve worked with organisations to determine whether a breach is reportable or non-reportable breaches and called the ICO on their behalf. We’ve supported organisations in responding to ever lengthening procurement and supplier questionnaires. And we’ve implemented more Cyber Essentials, IASME, BS10012 and ISO27001 management systems than we’ve ever done before.

We’ve also worked with organisations to help them understand the consequences of data protection compliance and Brexit – yes, Brexit impacts this as well !

Change is definitely happening. The GDPR and the UK DPA are definitely here to stay. So we’ve rubbed the Risk Evolves crystal ball, and this is what we see happening in the next 12 months.

2019 and beyond

So where do we see the next 12 months ? This are our top tips :

More fines

We are expecting the ICO to rule on some of the breaches that occurred in the last 12 months. There were some cases that made the headlines last year which the ICO commented on at the time , and which are being investigated.

Where there’s a blame, there’s a claim

Is the adage, and we know that there are class actions forming for BA, Marriott Hotels, TicketMaster and even the Police Federation. Values for compensation for the theft of medical information for example are estimated as being as high as £6000.  Having seen how the PPI industry has grown over the last few years, and similarly, companies helping individuals to gain compensation when they have been involved in an accident, we believe that this is one industry that will grow.

Increasing supply chain scrutiny

With 60% of companies reporting issues within the supply chain due to cyber related instances, we expect more scrutiny om suppliers to occur. Our Clients have seen an increase already, as more questions are asked re. information security and data privacy and how these are managed both from an IT perspective but at Board level ie. the governance within a business.

Business Value

We have some anecdotal evidence that if you want to sell your business, then in addition to the questions on your financial position, customer list, inventory and so on, questions are being asked re. your information security history. ‘When was your last breach’ was one question that we saw listed in one questionnaire. No one wants to buy a liability (see comment above re. claims organisations).

A new ISO standard

Ok .. so we’re standard junkies here are Risk Evolves, and MD Helen was really excited to be invited to an open committee meeting for a new personal information management standard, ISO27552 earlier in the year. This standard has been developed by the International community to meet the requirements of legislation such as the UK Data Protection Act, the EU GDPR, the revised and strengthened Californian data protection laws and many others. You’ll need ISO27001 to be able to

Cyber Attacks

The other side of the data privacy coin is data security, and you can’t have data privacy without data security ! Keeping data safe, regardless of whether it’s digital or on paper is key. Based on trends, and feedback on the conversations that we have with the police, this threat is not going to go away. More companies will fall victims

So what do I do ?

Don’t panic  !

1. If you’ve not started your GDPR project, then do the basics. Register with the ICO, work out what data you have, why you’ve got it, how long you’re keeping it for, who you share it with and how you get rid of it. Write a privacy notice that you can put on your website.
2. Educate your staff. Explain that data is an asset in the same way as the stock in the warehouse, the company vehicle, the fixtures and fittings in the office and you don’t want it accidently lost, deleted, altered or shared. And if staff do this deliberately, you need to ensure that there are consequences.
3. Do some phishing training. As 92% of cyber crime starts with a dodgy email, helping staff to recognise protects you in the office and them at home. We’ve got a service that costs 7p per employee per day. On a monthly basis, that’s less than one copy of coffee. Isn’t your business worth it ?
4. Protect the data – do Cyber Essentials as a minimum. As this is recommended by ICO and the National Cyber Security Centre, you should ask yourself, why you haven’t got it already !
5. Challenge your suppliers. How are they keeping your data safe and secure.
6. Follow us ! We’re sharing details of free resources (yes FREE !) resources that can help you on our web page (https://www.riskevolves.com/1819-2/#more-1819 ) and through twitter and LinkedIn

Conclusion

Data Privacy isn’t going away. So if you can’t ignore it, best to embrace it and reap the benefits.