If you need any more inspiration to bring your business into GDPR compliance let this be it. Carphone Warehouse was recently fined £400,000 for putting its customers data at risk and allowing “unauthorized access to the personal data of over three million customers and 1,000 employees.” https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/01/carphone-warehouse-fined-400-000-after-serious-failures-placed-customer-and-employee-data-at-risk/
Casual Approach To Data Security Brings Downfall
It was without a doubt Carphone Warehouse’s casual approach to data security that ultimately brought them under the scrutiny of the Information Commissioner’s Office (ICO). Apparently the company had not taken sufficient action to protect their massive storehouse of personal information. In other words, Carphone’s cyber security was clearly outdated as the intruders accessed the Carphone system via obsolete WordPress software.
According to ICO.com, “The incident also exposed inadequacies in the organisation’s technical security measures. Important elements of the software in use on the systems affected were out of date and the company failed to carry out routine security testing. There were also inadequate measures in place to identify and purge historic data.” https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/01/carphone-warehouse-fined-400-000-after-serious-failures-placed-customer-and-employee-data-at-risk/
The ICO considered the inadequate security measures at Carphone Warehouse to be a serious breach of the Data Protection Act of 1998 Principle 7. According to Information Commissioner Elizabeth Denham, “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.” She added “Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.” https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/01/carphone-warehouse-fined-400-000-after-serious-failures-placed-customer-and-employee-data-at-risk/
Business’s Obligation For Data Protection Key Consideration
If you have a business in Europe or are doing business with Europeans and house personal information of customers and employees, you have a general obligation as stated by the GDPR to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities. You must ensure that privacy and data protection is a key consideration in the early stages of any project, and throughout its lifecycle. This includes the following:
When building new IT systems for storing or accessing personal data;
When developing legislation, policy or strategies that have privacy implications;
When embarking on a data sharing initiative; or
When using data for new purposes.
If you consider cyber security something that can be added to your system as an afterthought or completely ignored, you are wrong. The new GDPR regulations will come into effect at the end of May. Keep in mind that it is your company’s responsibility to protect customer and employee personal information. Cyber attacks are happening more frequently every day. Having an effective layered security system will help to ward off any attack.
Procrastination Does Not Pay
Time is running out. Do not put your business at risk. Procrastination comes with a very high price. . If you are a business owner and have yet to come into compliance for GDPR, call our offices to set up a consultation. We now offer the most advanced level of cyber security, the new EUgrc Compliance Suite.