Today’s announcement that British Airways is facing a record fine of £183m for last year’s breach of its security systems demonstrates that the General Data Protection Regulation (GDPR) has teeth.
For organisations, big and small, data security and privacy must be a priority.
As far back as 2012, FBI Director Robert Mueller, is quoted as saying:
“There are only 2 types of companies: those that have been hacked and those that will be hacked”
The number of companies that have suffered data security breaches is truly shocking
Wikipedia lists nearly 300 companies that have suffered a security breach. Sadly, this often involves the theft of highly sensitive personal data.
Shockingly, the list includes businesses for whom one would assume data security would be an absolute priority.
For example, financial institutions and government agencies who handle our most sensitive data.
The software/telecoms organisations that provide the applications that we rely on for our daily communications are also not immune.
Even businesses for whom data is their business have been found wanting Google, AOL, Yahoo, Facebook, LinkedIn, WhatsApp, Snapchat, Dropbox to name but a few.
As the digital revolution gathers pace, all companies will eventually find themselves in the business of data.
Companies should treat data like cash
Faced with such dismal data failures, it is clear that keeping data safe requires a shift in thinking for both companies and consumers.
And that thinking may be to equate data with money or cash.
For far too long individuals have undervalued the worth of their data. All the while, they’ve overvalued the competence of their trusted institutions such as banks or government agencies or their favourite brands such as British Airways to use their data wisely and to keep it safe.
Until fairly recently, consumers routinely gave away large amounts of valuable information about themselves. For example, whilst completing surveys, signing up to the latest promo or downloading a free app.
Added to this, as people we are highly social creatures. We take great pleasure in sharing personal data in a very public way on social media platforms such as Facebook.
However, the highly publicised data breaches of recent years, coupled with an increasing understanding of just how much data is being generated and shared, is already leading to changes in attitudes.
Increasing numbers of people are amending the previous settings of the devices and apps they use. They are also upgrading their internet security.
What’s more, some people have become extremely wary of digital communications, even from once trusted service providers.
Companies must restore trust in their data security
For companies, it is time to restore trust. They must understand that personal data is just that – personal. It belongs to the consumer who provided it for legitimate business purposes only.
With fines of up to 4% of turnover available to punish companies for data breaches, GDPR has no doubt forced many companies to think more seriously about how they acquire and manage data.
And yet, keeping it safe requires a culture change. When you equate data with cash and you drive that culture change.
Companies are investing in enhanced data governance
In any company, strong financial governance is essential.
How you generate cash, how you spend it and the returns that you make on it are closely controlled and regularly audited. Crucially, you take stringent measures to avoid misuse of the company’s money – i.e. fraud.
As with money, so with data. Smart companies are already investing heavily in enhanced data governance.
Clearly, money and data are not identical in the way that they are audited. For example, money is spent once but data can be used many times over. However, the basic disciplines of who has money (or data) and how is it used within the company and moved outside of it, still apply.
Many data breaches seem not to be the result of sophisticated external attacks. Instead they happen due to the loss of a computer or a data device or even an “inside job”. Tightening up data governance must therefore go someway towards plugging the gaps in existing security systems.
For now, expect more data breaches to become public and more high-profile businesses such as British Airways to be fined until companies are as careful with their customers’ data as they are with their own money.