– £200,000 for an organisation whose data was not held securely and hacked into – the hacker threatened to publish thousands of names of people who sought advice on abortion, pregnancy and contraception
– £175,000 for a company which had sent millions of spam text messages
– £45,000 for a company which made numerous unwanted marketing calls; and
– £125,000 for companies which generated over 2,700 complaints to the Telephone Preference Service through unwanted calls For certain, the ICO’s appetite for enforcement has increased in recent years, and in 2015 the General Data Protection Regulation is likely to come into force, The new rules will only serve to underline the stricter view regulatory authorities are taking. So how can you ensure that your business is compliant? Ensure you are aware of your legal requirements Make sure you are compliant with the Data Protection Act 1998, a regulatory framework that outlines how businesses can use personal data. This includes rules about notification (compulsory for data controllers) disclosing personal details to third parties, IT and physical security, use of third party processors outside Europe. The proposed regulation in 2015 will offer data subjects greater visibility of their personal data and how they wish it to be handled, including the “right to be forgotten’’ (recently highlighted in the Google Spain decision). This means they will have the right to request that their personal data be deleted from computer systems. It will usher in a new regime on mandatory security breach reporting. Any breach of the regulation will result in fines of up to the greater of €1,000,000 or 2% of annual global turnover. Ensure you are transparent You need to provide clear, easy-to-access information about how data is being used. People like to feel that they have all the facts and that you’re a business that they can trust. As we have seen from Facebook, people do not necessarily object to sharing their personal data, but they need to understand what it is that you plan to do with it. Being open from the outset reduces any potential backlash later down the line. It is also a legal requirement. Consider the expectations Make sure that the data you collect can be used in accordance with the individual’s legitimate expectations. Companies have to draw a line between basic personal data and sensitive data such as medical history or criminal records, and make a clear distinction between the two. Sensitive data cannot be processed without an individual’s express consent. Partner with a reliable IT expert Much of the debate around big data lies with storage, security and back-up. Do join forces with a trusted IT specialist that can provide a certified data centre and can safely accommodate access controls for staff across different devices, locations and at different times. Insist on ISO/IEC 27001 compliance as a minimum. It’s a balance In many circumstances, collating customer data improves the overall experience, whether through offering targeted special offers to consumers, or using data to build a detailed medical history. Ensuring you get the balance right between privacy and personalisation is essential – few of us object to suggestions put forward on an e-commerce site, but none of us likes an intrusive email referring to data we believed to be private.
Share this story