The intention to fine a record amount to British Airways (as reported by the ICO* on Monday 9thJuly 2019) may have come as a shock to quite a few. However, these levels of fines and other significant penalties may start to become more familiar as more companies become exposed in their negligence of protecting personal information.
The 2018 Cyber Governance Health Check** report into the top FTSE 350 companies released by HM Government in March 2019 revealed some interesting findings, which should cause concern for boardrooms across all businesses that collect and process personal data – whether its customers, employees, or business partners/suppliers. The key findings from the report show that:
- Less than two thirds (60%) of the FTSE 350 list of companies report that their appetite for risk (the extent and type of risk the business is willing to take) is agreed and written down. Therefore, for more than a third (40%) of businesses, there is a risk that not all staff members share the same vision as the board regarding the level and type of risk that they are willing to take.
- 77% of FTSE 350 businesses do not recognise the risks associated with businesses in the supply chain with whom they have no direct contact.
The report also states that only around 1 in 5 boards of FTSE 350 businesses have undertaken a crisis simulation on cyber risk in the last 12 months, which – when you take into consideration that in 2017, 70% of large companies (and 74% of SME’s) reported that they had suffered a cyber breach*** this suggests that we’ll see a lot more exposure of cyber weaknesses in what are perceived to be credible brands and organisations who lead the public to believe that they deliver exemplar business practice.
Martin De Bruin, CEO at Deslyon suggests a few tips to help boardrooms start and navigate their way through their privacy strategy:
“First and foremost, the Board (including the CEO) has to decide on the company’s mission when it comes to Data Protection & Privacy. Then they can develop their strategy in accordance with the mission and form the team to steer the strategy. The framework should be based on the organisation’s needs as there isn’t really a one-size-fits-all. More often than not, the biggest risk in any organisation comes from internal, so it is vital that training & awareness is steered by the top. Communication is essential if all employees are expected to follow the company’s lead.”
If the words of Elizabeth Denham, UK Information Commissioner didn’t read loud and clear before, then maybe the following quote from her will make boardrooms across the country take notice:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage, or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
To discuss your compliance requirements or to understand your obligations when it comes to privacy and Data Protection, email firstname.lastname@example.org without delay.