The begging emails asking you ‘to stay in contact’ and ‘not to leave’ have finally stopped! That must be the end of GDPR, right? Wrong. A lot of Organisations believed that their database was the holy grail of GDPR. In fact, most of the litter in our inbox were from companies that had been ill-advised and didn’t need to send you a request for consent at all, just adding to the GDPR noise and annoying their database.
So, your Organisation has sent out its email campaign, you’ve cleansed your database, but how secure is that data?
In May 2018, Bayswater Medical Centre in London was fined £35,000 by the ICO after it left highly sensitive medical information in an empty building. The personal data, which included medical records, prescriptions and patient-identifiable medicine, was left unsecured in the building for more than 18 months.
Have you thought about the data you’re holding on paper? How secure are the cabinets? Who has access to those filing cabinets? How secure is the room those filing cabinets are in?
In May 2018, The University of Greenwich was fined £120,000 by the ICO following a “serious” security breach involving the personal data of nearly 20,000 people – among them their students and staff.
The investigation centred on a microsite developed by an academic and a student to facilitate a training conference in 2004. After the event the site was left live and unused, in 2013 it was compromised. In 2016, multiple attackers exploited the vulnerability of the site allowing them to access other areas of the web server and database.
The personal data included contact details of 19,500 people including names, addresses and telephone numbers. However, around 3,500 of these included sensitive data such as information on extenuating circumstances, details of learning difficulties and staff sickness records and was subsequently posted online.
The importance of the two examples above is that A) the Organisations weren’t charged over the consent of the data they held. B) they were investigated and charged under the Data Protection Act of 1998. This illustrates that is not the ‘be-all and end-all’ of GDPR and that the fines are going to be considerably larger than those under the DPA.
Your database may be cleaned but are you protecting the data you hold on your staff and customers? Contact Vox Securitas today to discuss what your Organisation still has to get done to get GDPR compliant and mitigate the risk of a breach.