Cumbria Chamber of Commerce is advising businesses to ensure they are GDPR compliant after British Airways and the hotel chain Marriott were hit with penalties totalling £282m for data breaches.
These are the largest penalties ever imposed by the Information Commissioner’s Office.
BA plans to appeal against a proposed £183m fine following a cyber attack last year when criminals harvested the personal data of 500,000 BA customers including addresses and payment cards details.
Marriott faces a £99m fine after hackers stole personal details of 339m guests worldwide, including 7m in the UK. It also plans to appeal.
The General Data Protection Regulation (GDPR) came into force in May 2018 to replace the Data Protection Act.
Businesses that fail to comply face substantial fines of up to 4% of their annual turnover.
Rob Johnston, Chief Executive of Cumbria Chamber of Commerce, said: “Initially, the Information Commissioner took a softly-softly approach to enforcement.
“The penalties imposed on BA and Marriott mark a sea change. It is the Commissioner setting down a marker, saying to businesses, ‘take this seriously – or else’.”
The penalties imposed on BA and Marriott mark a sea change. It is the Commissioner setting down a marker, saying to businesses, ‘take this seriously – or else’.
He added: “The Information Commissioner criticised BA for poor security arrangements and Marriott for inadequate due diligence, which allowed data to be compromised.
“She has made examples of them, probably because they are large companies that should have known better.
“But every business should be addressing this. It’s not only the risk of a fine. The reputational damage of being named and shamed for a data breach could do immense harm to your business.”
Click here for official guidance on GDPR from the Information Commissioner.
In addition, Cumbria Chamber has recorded a podcast with Tom Scaife, of Cumbrian law firm Baines Wilson, setting out the responsibilities and obligations businesses have under GDPR. To listen click here.
And here’s a best practice checklist to ensure you stay on the right side or the law:
Appoint someone senior to oversee GDPR. It is not just a matter for the IT department, so it is essential that a senior member of staff such as a director, partner or senior manager takes responsibility for overseeing the process.
Review existing information and cyber security and update as necessary. This does not have to be an expensive revamp, it can just be a refresh tailored in line with the complexity of your organisation and IT set-up.
Map your data. Before you assess what has to be done, you need to know what data you have as this will inform what to do next.
Review contracts with clients, suppliers and employees to ensure GDPR compliance.
Draft data protection policies and procedures. The GDPR introduces the principle of ‘accountability’ – this means all organisations must not only ensure they are compliant with GDPR but prove this too.
Train staff. Not all staff will need to understand the GDPR in its entirety, but all staff should at least be aware that data protection is an issue for everyone.