So your organisation is the victim of a crime, yet you end up paying a six figure fine of your own. Implausible? Not quite, for that is precisely what happened to a charity when thieves stole personal data from its network.
Back in 2016, hackers used ransomeware against the Swindon-based British and Foreign Bible Society leaving the Information Commissioner’s Office to level a £100,000 fine and conclude that, “The Bible Society failed to protect a significant amount of personal data, and exposed its supporters to possible financial or identity fraud.”
“Well it wouldn’t happen to us” I hear you say. But in the last year some of the biggest fines issued by the ICO for breaches of data protection law have been when organisations failed to ensure the security of their data. These include BUPA Insurance services (£175,000), The Crown Prosecution Service (£325,000) and Equifax Ltd (£500,000).
All of these fines followed pre-GDPR data breaches – before the compliance bar was raised. Now, almost a year after becoming law, we await outcomes of the first GDPR cases enforced by the ICO. I’ve no doubt that given all the publicity around GDPR, the ICO will not be impressed with poor excuses. Indeed, they are already expecting organisations to show that staff have been appropriately trained.
Of course data security is just one aspect of data protection, but it remains vital. Organisations should perhaps use the coming first anniversary of the GDPR to take stock of all their data protection practices, with data security being high on the list of items to review. As if to emphasise this point, it was revealed only last month that one in five charities has been the subject of a cyber attack, so clearly there is no room for complacency.
Some key questions to ask of your data security include:
- Who has access to your personal data and are they fully trained and aware?
- Is your data regularly backed-up and retrievable?
- Are all your devices and databases protected by robust passwords?
- Do you have a policy for using and where appropriate, encrypting mobile or removable devices (eg USB drives)?
- Do you regularly install the latest operating system updates?
- Is your anti virus software up to date?
When conducting your review, there is plenty of help available. For more detailed information on personal data security, a good place to start is the ICO itself. For cyber security, take a look at the National Cyber Security Centre. And for some more bite-sized help, you can download Green Pepper’s own Cyber Security Checklist.