Do you protect your business like a Chinese Takeaway?
So, just 10 days into the New Year and we have another big household name hitting the headlines, falling foul of the existing Data Protection Law and failing to protect customers’ information sufficiently, resulting in a breach and leaving customers at risk of their data being misused. The biggest headline here though is the fine – £400,000 – one of the largest fines issued by the Information Commissioner’s Office. Of course, a company like Carphone Warehouse, a company in a technical industry and a company dealing with vast amounts of personal information, should be taking data protection seriously.
Unfortunately, it appears they did the exact opposite leading the ICO to make quite a bold statement:
“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks. Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures”.
Elizabeth DenhamInformation Commissioner
As a consumer, it worries me that some companies we trust to provide us with services are still not investing the time and money to mitigate these risks as far as they can. As a GDPR Practitioner, it leaves me dumbfounded how organisations continue to dismiss something so fundamental, something so important, in an era that is swamped with personal data.
It makes me think of my local takeaway.
I know, it looks like I’ve jumped to a completely random topic, or I’m writing this on an empty stomach, but bear with me, it’s neither. When ordering from my local Chinese takeaway, I order assuming I’m not going to suffer negatively as a result. The ingredients will be stored safely and securely with no risk of contamination, the workspace used to prepare the food is clean and organised, the systems used to cook the food are fit for purpose and safe to use and the staff have been trained to know how to manage all of this without endangering me as a consumer – that’s their business, that’s what they do.
Businesses that rely on personal data to provide services should be taking similar precautions – storing data safely and securely, the tools they use to manage and interact with that data need to be clean and organised, the systems used to protect and process that data should be safe and secure, and staff should know what data they’re dealing with and how to use the data correctly. It’s a strange comparison but it’s a similar principle – my Chinese restaurant has done everything it can to make sure I don’t suffer. If organisations use personal information in order to provide services, they too should be doing everything they can to make sure we don’t suffer, using technical and organisational measures to protect their customers.
It doesn’t have to cost the world
In my role at Metaphor IT I see many different organisations across many different sectors and see a number misconceptions surrounding the GDPR. The assumption is that blood, sweat and tears and a huge chunk of cash is required to get the business up to scratch. Yes, effort is required and some financial investment may be needed, but it doesn’t need to be onerous. If we look at the case with Carphone Warehouse, what could the outcome have been had this occurred after 25th May 2018 when the GDPR comes into effect? I suspect it would be rather more disastrous for them, although reputational damage could well hurt them more than any fine would.
While the fines are there as a deterrent for organisations, it’s very easy for the industry to jump on these numbers, plaster them across marketing material and scare businesses into making the right decisions. For huge organisations such as Carphone Warehouse, it’s probably the only way to get their attention, it makes the financial risk too great to ignore, but for most organisations it’s a scare tactic that misses the point wildly.
Education is key
Most organisations want to do the right thing and want to protect the data they hold about their customers, it’s good business sense. The Information Commissioner’s Office have publicly stated that fines are a tool at their disposal, but that there are many other tools they have which they’d use before reaching for the sledgehammer. Education is key to all of this – we can use the information provided by the ICO, the press stories we see of organisations that have, unfortunately, got it wrong and the expertise of those we probably have around us already.
As a GDPR Practitioner with a 15-year background in IT, security and governance, and with Metaphor IT’s enviable background in these fields, we can ensure that your business is prepared. Our customers can benefit from our expertise, and our understanding of their business, to prepare themselves for this change to legislation. If you’re struggling with GDPR or simply swamped with information and don’t know where to turn, please get in touch with me directly via LinkedIn or our contact pages on the Metaphor IT website. A GDPR Readiness Assessment will highlight gaps in organisational compliance and technical systems allowing us to create a plan of action to get your organisation where it needs to be. We can help you prepare your policies, procedures and processes as well as improving the security of your IT systems.
Let’s be more like my Chinese takeaway and ensure our processes are as customers expect them to be – safe, secure and with risks mitigated as far as possible.