The EU GDPR comes into effect in just over a year from now but according to many reports, UK businesses still seem to have their heads stuck in the sand. The data breach at Royal & Sun Alliance was unbelievable for so many reasons but even the ICO's fine for that and its fines for many other businesses don't seem to be having the desired effect.
UK businesses and GDPR
For anyone living under a rock, the GDPR is due to come into effect on 25 May next year, but according to many recent reports and surveys, organisations are still not ready. For example, LogRhythm, Gigamon and ForeScout Technologies conducted joint research earlier this year that revealed that more than half (53 percent) of UK businesses were still not fully aware of EU GDPR. Given the number of articles written about the subject, even in this media outlet alone, I find it incredibly irresponsible for any organisation, regardless of its size, to still not be fully aware of the upcoming regulations and how it will affect them. But I do wonder why that is and what role the Information Commissioner Office (ICO) should be playing in bringing organisations up to speed.
The Article 29 Working Party
Each EU Member State is part of the Article 29 Working Party and the ICO is the UK's representative. As part of this group, the ICO is able to input into the process of developing guidelines on the new law. So while we don't live in a nanny state, it seems fair to assume, given this status, that the ICO should take a good deal of responsibility for making organisations in the UK aware of the new regulation and help them to prepare for it. It seems that the ICO is now beginning to ramp up its communications around the regulation but I wonder if this is a case of too little, too late.
Too little, too late?
When the bill was first passed by the member states, there appeared to be a vacuum of knowledge about what it really meant for organisations and a lack of any framework that they should be working towards. Despite the ICO publishing its document on “Preparing for the GDPR: 12 steps to take now'” in March last year, businesses still didn't seem to know where to go to get information. As an avid watcher of the ICO's “news, blogs and speeches” webpage, there's no doubt in my mind that the communications efforts of the ICO has been seriously ramped up of late. But in the interim, the messages seem to have been muddled and the current research suggests that's had a lasting effect on the readiness of UK businesses when it comes to the GDPR.
The public's advocate, but not the organisation's?
At the beginning of this year, the ICO issued the news that it had issued more than £1 million in fines since April 2016 to organisations breaking the law around marketing calls, texts and emails, and boasted that there was another £2 million in fines on the way soon. Within this announcement, they thanked the general public for reporting these organisations for breaches in the law. Of course the ICO should be protecting the interests of the consumer but helping organisations to understand and prepare for the GDPR would, in turn, also help consumers by ensuring the protection of their personal information but I would question the focus of the ICO when it comes to this.
Toothless where it counts?
There's no doubt that nuisance calls, texts and emails are, a nuisance, but in comparison to the impact of a data breach on the consumer, nuisance marketing isn't even a fly in the ointment. While the ICO is fining lots of marketing firms regarding their use of data, they don't seem to be fining organisations that experience data breaches with quite the same gusto. Perhaps it's because there aren't as many organisations with data breaches as there are marketing firms using data contrary to the regulations? But even when the ICO does fine for a data breach, it's merely a slap on the wrist, take the recent example of Royal & Sun Alliance.
At the beginning of this year, the ICO fined Royal & Sun Alliance £150,000 after a “network attached storage” device with the personal information of almost 60,000 customers was stolen from a data server room during a 10-week period in the Summer of 2015. The fact that the organisation in question couldn't pin the theft down to less than a ten-week period illustrates a blatant disregard for the security of their customer's personal information.
The fact that the ICO is fining an organisation more than a year after the incident is peculiar. Presumably Royal & Sun Alliance had failed to report the breach for quite some time but why is the ICO not investigating and fining the organisation sooner, and / or increasing the fine in proportion to the delay in reporting the breach? Despite the maximum amount the ICO can fine an organisation being £500,000, it choose to fine Royal & Sun Alliance just £150,000 which, under the circumstances, seems not nearly enough.
The impact of 60,000 customers' personal information being potentially leaked on the internet seems a lot more dire than those customers getting nuisance calls from three or four different marketing firms, but the fines tell a different story and therefore I have to ask, is the ICO's head in the right place? Should it not be doling out the maximum fines it can to get organisations to recognise the seriousness of data breaches? Shouldn't it be explaining to organisations that once they hold, collect or process any European citizen's personal information that they must adhere to the GDPR? Brexit doesn't necessarily represent an easy out. And should it not be focusing its efforts on educating consumers about the risks of data breaches and getting them to check and ask every organisation that wants their data, how they're securing that data instead of asking them to report nuisance calls?
Contributed by Norman Shaw, CEO of ExactTrak