The Trace Privacy Edit: The hammer falls
The regulators show their teeth: a week of fines and headlines in Privacy.
Last week was quite the week in Privacy. While many were enjoying time off with a Summer holiday, the regulators were busy. In the UK, the Information Commissioner's Office (ICO) issued a notice of its intention to fine Marriott £99 million and British Airways (BA) a whopping £183 million - the two highest fines levied under the GDPR to date. A clear signifier that the 'grace' period following the introduction of the regulations is well and truly over and a wake up call to the many businesses who are still dealing with gaps and challenges with compliance.
In Trace's view, organisations should not panic but continue to ensure that compliance, Cyber Security and Privacy by Design are at the heart of operations with the right intent and principles in place, backed by good governance, tools and expertise. If there has been neglect since 25 May 2018 however, then clearly action must be taken to tackle gaps.
Personal data needs to be safeguarded, companies need to know what personal data they hold and that it is protected (and will be held accountable). Our software helps meet this need with bite-sized data governance: users can model personal data and comply with Articles 30 and 28 of the GDPR. We always emphasise that software is only part of the picture though: Data Protection needs to be sponsored from the top and embraced by the whole organisation (big or small) to embed compliance and a culture of good data custodianship. Trace enables good governance by surfacing gaps and visualising compliance so that the whole of a business has a better understanding and personal data and privacy risk becomes more tangible and engaging. It’s meaningful and manageable compliance beyond the tick box and complements great expertise and leadership.
The fines have also highlighted the importance of data due diligence in Merger & Acquisitions (M&A) transactions (a huge subject in its own right which we have been passionate about for a number of years and an area which urgently needs to mature). And what is interesting about both cases is that they relate to credit card breaches – underlining the criticality of protecting high risk data and carrying out Data Protection Impact Assessments (DPIAs). Trace® help clients tackle DPIAs via our platform.
Privacy heats up in the US
Now if the £300 million sounds eye-watering - it looks positively paltry compared to the $5 billion settlement the US Federal Trade Commission (FTC) has approved with Facebook over personal data mishandling and the Cambridge Analytica scandal. A bitter pill for the social media giant, though one they can currently afford to swallow thanks to their phenomenally profitable advertising business model.
Privacy is global
The stories both side of the Atlantic paint a clear picture: we're in a new era of Privacy around the world and sanctions will follow legislation. The message is clear - look after your data - and it’s best to be on the front foot with a regular and embedded approach which fits the size and culture of your business (as opposed to reacting to fines or neglecting regular audits).
Read more about the statements and stories here:
ICO Statement on the BA fine
The Guardian offer a handy Q&A reminder about GDPR fines and speculate where the money might go
Trace talk: join us on 17th July at Skyscanner. We're talking 'Rules for Rebels' this Wednesday as part of Cyber Scotland connect. Join the waitlist or watch the live-stream.
Are you read for agile personal data modelling and visual GDPR compliance? We'd love to show you our software and how easy it is to use. If you are interested in a demo, please get in touch to arrange it.