Following the recent revelation of a large-scale data breach suffered by British Airways (BA), reportedly affecting 380,000 of its customers, Julia Seary, Partner at Roythornes Solicitors, discusses with Total Business how organisations can prevent a data breach as well as protect themselves if such an issue takes place.
When news broke that hackers had stolen both the personal and financial details of its customers, this was undoubtedly a bad day for BA and just one more knot in a string of IT-related issues that has plagued the company over the last 12 months.
Historically, companies have had the tendency to wait until they have been backed into a corner to release news of a data breach to customers, but with the onset of the General Data Protection Regulations (GDPR) earlier this year, companies are now required to disclose hacks within 72 hours.
From April 2017 to March 2018, there were around 350 cyber security incidents reported to the Information Commissioner’s Office (ICO); Q4 of 2017/18 saw a particularly sharp rise of reported incidents, up 31% on the previous quarter.
With GDPR now firmly in place, this trend is only set to increase as laws and regulations around data protection tighten significantly, leaving businesses little room for any internal errors or – and arguably more damaging – an external hacking scenario.
Despite an apology from the boss of BA Alex Cruz for what he described as a “sophisticated, malicious criminal attack” on its website, that will do little in the way of alleviating the potential fine facing BA following an investigation by the ICO. Calculated at 4% of its annual global revenue, for a company like BA this fine could run into hundreds of billions of pounds.
So, how can businesses avoid a data breach?
Firstly, the phrase ‘prevention is better than the cure’ is one that should be remembered when considering how to best protect data and avoid any nasty surprises.
It is important to be as transparent as possible with customers and inform them of how their data will be used and stored, whilst providing them with the option of a quick and easy opt-out should they change their mind at any time about hearing from you. The key to achieving this is to have in place a simple and easy to read privacy notice available for review.
From an IT point-of-view, ensuring that software is kept up to date and firewalls are secure are vital, so should a breach occur, sufficient evidence can be provided to demonstrate that the organisation took all necessary precautions to mitigate the risks of such an attack.
How can businesses manage a subject access request most easily?
Once a subject access request has been received, businesses are legally obliged to respond within one month.
As an organisation, it should be made as simple as possible for an individual to submit a request and data should be categorised in such a way that it is as straightforward as possible to provide the individual with all relevant information your organisation holds on them.
If steps have been taken to organise all data sufficiently and responsibly, this won’t be an issue.
There are a few additional points to consider when processing a subject access request, which are:
- Blank out all exempt/irrelevant information where necessary.
- Verify the identity of the individual.
- Do not disclose anything that could be classed as confidential, such as legal advice.
What are the best practice guidelines for contacting individuals lawfully by electronic means?
For many businesses in which a product or service is ‘purchased’ by customers, this is slightly easier to manage as the business may contact the customer to notify them of similar products or services on offer; this ‘soft opt-in’ can be used as justification to market to such individuals electronically, such as by email or SMS – as long as there is an ‘opt-out’ option readily available and accessible.
For organisations such as charities or NGOs, this is a little more complex because a supporter of such organisations is unlikely to have actually purchased goods or services and so, even if the individual that you would like to contact by electronic means is considered to be an ‘active’ supporter, sending a simple newsletter is something that could still require consent because it could fall into the category of being ‘direct marketing’ and the organisation cannot rely on the ‘soft opt-in’ legal basis.