Compliance with the General Data Protection Regulation (GDPR) and Data Protection Act 2018 is as important as ever during the current pandemic. This has been highlighted by the EasyJet and Serco announcements over the past week or so.
EasyJet have admitted that a cyber-attack on the business in January of this year has led to nine million customers’ data being accessed. This included the theft of customer credit card details for 2,208 customers; those customers were only informed of that in April. In 2019, the ICO issued British Airways (BA) with an intention to fine them £183m for infringements of the GDPR. In that instance, it is believed that personal data of 500,000 customers was compromised.
Whilst the ICO investigates, the potential fines for EasyJet are unknown. However, businesses should be aware that authorities could impose fines of up to €20m or 4% of global annual turnover, whichever is greater, and the BA case demonstrates the importance of compliance.
Serco, one of the companies known for hiring and training 15,000 contact tracers as part of the UK government’s “test, track and trace” strategy, have apologised for accidentally sharing 300 email addresses. The email addresses were shared when Serco contacted new trainees about training, copying (cc) rather than blind copying (bcc) recipients. Serco has said it does not intend to refer the matter to the ICO.
It is too early to assume the implications for Serco, especially given the fact the company has decided against referring the matter to the ICO. However, this is a warning to businesses of the potential reputational impact of a lapse in data protection compliance.
There are a number of points businesses can take away from the data breaches outlined in the EasyJet and Serco cases. These revolve around the ‘security principle’ in the GDPR and are as follows:
- Reviewing security measures: Whether you have a business with a £100,000 turnover or a £100m turnover, it is essential that you review the security measures you have in place, ensuring they are in line with best industry and quality practices. This is even more important where your business processes a high level of personal data including credit card details, names, address and so on.
- Appropriateness of measures: You can spend money on state of the art security measures, but ICO guidance suggests that such measures must be appropriate both to your circumstances and the risk your processing poses.
- Organisational measures: You should attempt to create a culture of security awareness within your business. This can include policies around locking computer screens when staff are away from their desks, reviewing emails sent to bulk recipients (to prevent situations such as the Serco case), preventing sensitive information from being carried on public transport, ensuring passwords are regularly changed by members of staff etc. Human error can be a point of weakness for most businesses, so continuous training is required.
Bear in mind that, as a data controller, it is vital for you to:
- choose a data processor that provides guarantees about its security processes
- confirm any written agreements include undertakings or warranties that processors have the security measures in place that you would have to take if you were doing the processing yourself
- check that your agreement includes an audit requirement that the processor must make available all information necessary to demonstrate compliance.