October 8, 2018 in Data Protection

GDPR – The Fines Have Started

EU GDPR. Man working with a computer, General Data Protection Regulation and European Union flag on the screen

The Information Commissioner’s Office (ICO) has been busy issuing fines and enforcement notices for non compliance with GDPR and other Data Protection legislation. The larger fines for larger organisations have hit the papers. However a large number of Advisory Visits have been made on smaller firms . It is not a good idea for any business to ignore GDPR . It is not just about putting Privacy Notice on the website and only email marketing customers.

The majority of fines are for carelessness and the failure of adequate procedures and training of staff. They have proved expensive mistakes for those involved.

Emails – check the use of BCC

The Independent Inquiry into Child Sexual Abuse was fined £200,000 for sending out a mass email in away that everyone could see the details of the other recipients. All victims of abuse.

Gloucestershire Police did a similar thing revealing the identity of abuse victims to each other. For this they had to pay £80,000. A small mistake with huge consequences to the victims and the Police budget.

You would expect the Police to be good at complying with these rules. In addition to the above the Chief Constable of Humberside had the embarrassment of having to sign an undertaking that he would in future train his staff properly in dealing with the data of individuals.

Weak passwords

These cost the British and Foreign Bible Society, which distributes Bibles around the world, the sum of £100,000. Its computer network was compromised by a cyber attack. Access was obtained to the data of their 417,000 supporters including some credit card details. This was all the result of easy to guess passwords.

Physical security is important

Bayswater Medical Centre left sensitive medical records in an empty building for 18 months. That cost them £35,000. The ICO looks badly on a lack of care with Sensitive Data

Do not assume that breaches are by mega companies or dodgy marketing firms. From the above you will see it is not those you would expect . All businesses should take the necessary steps to make sure it is not them.