Former Chief Inspector with Police Scotland Irene Coyle, having retired after serving 30 years has now joined OSP Cyber Academy as Training Director, and acts as the Data Protection Officer for OSP Group Ltd. Irene is a certified GCHQ accredited Data Protection and GDPR practitioner; a registered DPO with the ICO, and now supports a wide range of clients with their training and outsourced Data Protection needs.
Irene was recently invited to be a Keynote Speaker at the “City of London Crime Prevention Association” Update on GDPR in Carpenter’s Hall, London. She gave a fantastic presentation to over 100 industry leaders and experts on the Implications of the GDPR and Data Protection Post 25th May 2018. Her findings are summarised below.
GDPR is certainly leaving its mark on the Data Protection field. The legislation aims to tackle dangers to data security and to ensure companies are accountable to their customers.
Since 25th of May 2018, there have been 500 breach related reports to ICO every week. The effects can be seen in a variety of industries, from Education and Health to Transport and Criminal Justice.
Here are just a few examples of companies that have been caught out already:
• Oaklands Assist UK Ltd fined £150,000 – thousands of nuisance direct marketing phone calls
• Bupa Insurance Services Limited fined £175,000 – failing to have effective security measures in place
• Equifax Ltd fined £500,000- failing to protect personal information of up to 15 million UK citizens after cyber attack
• Everything DM Ltd fined £60,000 – sending 1.42 million emails without consent
• Gloucestershire Police fined £80,000 – revealing identities of abuse victims in bulk email
• Bayswater Medical Centre in London fined £35,000 – left highly sensitive medical information in an empty building
• University of Greenwich fined £120,000 – microsite compromised 20,000 staff & students’ personal data.
Some of the common themes that are causing concern for companies and their data breaches include marketing, not dealing with SARs, stolen information, and selling data on the dark web. Over 600 companies across the UK were surveyed about their GDPR compliance. The following facts make for interesting reading:
• 20% of the companies believed themselves to be GDPR compliant
• 53% in the implementation phase
• 27% have not yet started
• GDPR implementation under way or completed increased from 37% to 73% in the UK
• 74% of respondents expect to be compliant by the end of 2018 and 93% by the end of 2019.
Looking at some statistics 100 days post GDPR, more than 56% of companies admitted they have not audited their compliance with GDPR. More than 51% of organisations have not documented their technical and organisational security measures on how they are processing personal data.
Looking forward, Data Protection should encourage innovation & continuous improvement – whilst Data Protection & Cyber Security should not be perceived as a cost overhead. It should be a driver to do things better and to do better things.
Privacy by design and by default is now a legal requirement and is about considering privacy issues upfront in everything you do. Having the right mindset to Data Protection helps future proof a business. You should look to communicate this to your consumer’s, as they will know that companies are building privacy by design into their products and services, third party arrangements and future use of data.
As Irene says herself…
“Education, Awareness and Training of staff is key to the success of your business and in protecting the privacy and rights of individuals, including your staff. It is easy to forget that we are all human and just trying to do our job, but mitigate risk of the data breaches – that we can see here are still occurring – by making your staff fully aware of Data Protection and GDPR.”