Today’s announcement that British Airways is facing a record fine of £183m for last year’s breach of its security systems demonstrates that the General Data Protection Regulation (GDPR) has teeth.
For organisations, big and small, data security and privacy must be a priority.
As far back as 2012, FBI Director Robert Mueller, is quoted as saying:
“There are only 2 types of companies: those that have been hacked and those that will be hacked”
Wikipedia lists nearly 300 companies that have suffered a security breach, often involving the theft of highly sensitive personal data.
Shockingly, the list includes businesses for whom one would assume data security would be an absolute priority: banks, government agencies and software/telecoms organisations that provide the applications that we rely on for our daily communications.
Even businesses for whom data is their business have been found wanting Google, AOL, Yahoo, Facebook, LinkedIn, WhatsApp, Snapchat, Dropbox to name but a few.
As the digital revolution gathers pace, all companies will eventually find themselves in the business of data.
Faced with such dismal data failures, it is clear that keeping data safe requires a shift in thinking for both companies and consumers.
And that thinking may be to equate data with money or cash.
For far too long individuals have undervalued the worth of their data and overvalued the competence of their trusted institutions such as banks or government agencies or their favourite brands such as British Airways to use their data wisely and to keep it safe.
Until fairly recently, consumers routinely gave away large amounts of valuable information about themselves whilst signing up to the latest app.
Added to this, as people we are highly social creatures. We take great pleasure in sharing personal data in a very public way on social media platforms such as Facebook.
However, the highly publicised data breaches of recent years, coupled with an increasing understanding of just how much data is being generated and shared, is already leading to changes in attitudes.
Increasing numbers of people are amending the previous settings of the devices and apps they use, upgrading their internet security and becoming extremely wary of digital communications, even from once trusted service providers.
For companies, it is time to restore trust. Understand that personal data is just that – personal. It belongs to the consumer who provided it for legitimate business purposes only.
With fines of up to 4% of turnover available to punish companies for data breaches, GDPR has no doubt forced many companies to think more seriously about how they acquire and manage data.
And yet, keeping it safe requires a culture change. Equate data with cash and you drive that culture change.
In any company, strong financial governance is essential. How you generate cash, how you spend it and the returns that you make on it are closely controlled and regularly audited. Crucially, stringent steps are taking to avoid misuse of the company’s money – i.e. fraud.
As with money, so with data. Smart companies are already investing heavily in enhanced data governance.
Clearly, money and data are not identical in the way that they are audited – for example, money is spent once but data can be used many times over. However, the basic disciplines of who has money (or data) and how is it used within the company and moved outside of it, still apply.
Since many data breaches seem not to be the result of sophisticated external attacks but the loss of a computer or a data device or even an “inside job”, tightening up data governance must go someway towards plugging the gaps in existing security systems and making more organisations fit to keep data secure in the digital future.
For now, expect more data breaches to become public and more high-profile businesses such as British Airways to be fined until companies are as careful with their customers’ data as they are with their own money.