Last week saw the heftiest GDPR fines yet announced by the UK’s Information Commissioner’s Office (ICO) for British Airways and Marriott for recent data breaches.
BA is being issued a record fine of £183 million after a digital skimming attack on its website diverted customers to a fake site and saw half a million customers have personal data stolen; including names, addresses, logins and payment card details. Marriott is in line for a £99 million fine for a data breach that started back in 2014 affecting their Starwood guest reservations and impacting 339 million people worldwide. These are big names receiving big fines, albeit not as sizeable fines as the ICO has licence to sanction. Under GDPR the ICO can fine up to €20 million or up to 4% of annual global sales.
So, one year on since the introduction of GDPR, how compliant are businesses? Research conducted by Infosecurity Europe 2019 conference (1) in May 2019 found that two-thirds of respondents believed that businesses were not taking GDPR seriously enough. Talend (2) conducted research in the second half of 2018 and found that in 74% of Subject Data Requests (SDR’s) made by individuals, companies failed to deliver the data within the one-month time frame.
The Talend research highlights a split between industry sectors on the readiness and compliance to the GDPR regulations, with the Tech sector (streaming services, mobile banking and SaaS) being the most able to deliver on the Subject Data Requests, with 50% of requests being delivered on time, whereas the more ‘bricks and mortar’ offline businesses fell well short, with retailers being the worst performing segment. This suggests that those businesses spread over multiple sites with legacy systems are struggling to implement procedures that conform to the new regulations across every facet of their organisation.
There is also evidence to confirm that there is a misconception about the scope that GDPR covers. A survey by ACCO Brands (3) in September 2018 highlighted that half of companies had updated their digital data policies but that only a quarter had updated their approach to physical data destruction. The recent ICO action is in relation to cyber breaches but the reach of GDPR is about the breach of any personal data however or wherever it is stored, so it is not just about online security.
At LearnLive.Online we can help your employees understand their role and responsibilities on GDPR. Our GDPR training course can be tailored to reflect your company’s policies and procedures, and tie completely to your policies in place. Our online learning programmes are instructor led in virtual classrooms in real time. Programmes can be accessed from anywhere in the world via tablet, mobile or desktop. Make sure your associates, wherever they are located, are receiving the same message and briefing on GDPR. All of our courses are fully trackable with ‘leaner analytics’ so that you can be sure that all your employees have taken and engaged with the course materials. When your business could be facing fines of up to €20 million or 4% of global turnover, make sure that all your employees understand their roles and responsibilities when it comes to GDPR by speaking to us today.
Sources
(1) www.infosecurity-magazine.com/news/gdrp-security-pros-believe-1
(2) www.siliconangle.com/2018/09/13/state-gdpr-compliance-just-dreadful-survey-finds
(3) www.myaccobrands.co.uk/campaigns_gdpr.html
Comments