Data breaches are an expensive problem and are about to become even more costly. The introduction of the GDPR will make them more expensive, providing businesses with a tangible incentive to invest in data security measures. The public sector could be subject to fines valuing hundreds of thousands of pounds.
Recently the University of Greenwich was subject to fines for incurring a data breach following the creation of microsite in 2004, containing sensitive data, that had not been secured or closed down. The breach resulted in the personal data of 19,500 students being placed online. The fine was £120,000.
The data included names, addresses, dates of birth, phone numbers, signatures and – in some cases – physical and mental health problems. The ICO stated that the university was the first to be fined under the outgoing legislation of the Data Protection Act due to the seriousness of the breach. Speaking on the incident, Head of Enforcement at the ICO, Steve Eckersley, said:
“Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller, it is responsible for the security of data throughout the institution.
“Students and members of staff had a right to expect that their personal information would be held securely, and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”
Had the breach been under the incoming GDPR, then the university could have expected to see fines up to £17,000,000 compared to the maximum fine under the previous Data Protection Act (DPA) of £500,000.
The University of Greenwich is not the only public-sector organisation to have been fined recently. The Crown Prosecution Service (CPS), in a display of incompetence, the CPS lost unencrypted videos containing police interviews of child sex abuse victims. The videos were sent between two CPS offices using tracked delivery, with the receiving office being in a shared building. The delivery was outside of office hours, the videos remained in the reception, not in secure packaging. Although the building’s entry doors were locked, anyone with access to the building could access this reception area. The videos were sent in November 2016, but it was not known that they were lost until December. The CPS notified the victims in March 2017 and reported the loss to the ICO the following month. It is not known what has happened to the DVDs. The ICO officially commenting:
“The victims of serious crimes entrusted the CPS to look after their highly sensitive personal data – a loss in trust could influence victims’ willingness to report serious crimes.
“The CPS failed to take basic steps to protect the data of victims of serious sexual offences. Given the nature of the personal data, it should have been obvious that this information must be properly safeguarded, as its loss could cause substantial distress.
“The CPS must take urgent action to demonstrate that it can be trusted with the most sensitive information.”
The rise of data breaches
Data breaches are nothing new and under the updated definitions under the GDPR, include anything from data loss through accidental deletion to unauthorised access. However, in recent years the number of breaches making headlines has been on the rise. Organisations like Facebook, Uber and Equifax have all been victims and the figures behind the breaches are truly worrying. Equifax alone suffered a major breach that affected over 145 million people, Uber’s hack affected over 55 million people.
Under the GDPR, updated European data protection laws, an organisation has 72-hours to report a breach upon discovering it. Previous data protection laws did not mandate this and in some cases, breaches were covered up or only reported months if not years afterwards.
Updating data protection policies to reduce the chance of facing a major breach is something all organisations should have done in the run-up to the GDPR. However, for those who haven’t it must be a concern now. Not only are fines for non-compliance and data breaches much higher but customers, end-users and suppliers all have a better knowledge of data protection. Being able to state compliance will set an organisation apart, for those who aren’t compliant, customer relationships may be strained and even fall apart. To learn more about the GDPR and how Redstor can assist in compliance and data protection and management, get in touch now.