- Mariel Irvine
PERSONAL DATA - CAUTIONARY TALES - WHAT NOT TO SHARE AND WHAT TO DECLARE
Last week two data breach stories made the headlines, and together they highlight the risks for companies and other institutions of not paying adequate attention to data protection.
On Monday, news outlets revealed that Russell Group universities were under investigation by the Information Commissioner following allegations they had retained and shared former students’ data for fundraising purposes, without the students' knowledge.
On Tuesday, the CEO of Uber admitted that the company had covered up a hack which occurred in October 2016, as a result of which personal data belonging to 57 million people all over the world had been stolen. Uber failed to declare the incident, either to regulators or to the drivers and customers affected, despite the potential for identity theft. Both US and UK regulators have since announced they intend to investigate the matter.
Together, these cases provide examples of what not to do regarding personal data.
Many are aware of the threat that cyber-attacks pose for data security, but they are not the only risks for organisations that hold personal data. The regulatory requirements extend beyond the security requirements. Julian Box, CEO of cloud solutions provider Calligo, has rightly observed there is no point erecting a ring of steel around personal data an organisation should not have.
As Elizabeth Denham noted in relation to the Russell Group story: “Personal data belongs to the individual and that means they have the right to make choices about how it is used.” If the allegations against the universities are true, then their failure to keep students and former students informed of how their data was being used for fund raising purposes, may have been a data breach. A cautionary tale for others in the not for profit sector.
Similarly, it is not just Uber’s failed security measures that are landing it in trouble, although these have been criticised by security experts. Its real crime may have been failing to disclose the breach. Corey Williams, a senior director at identity management specialist Centrify, has said: “While the Uber breach was large in terms of the 57M customer and driver records lost, if Uber had followed standard breach protocol by notifying authorities and impacted users, remediated the problem and laid out steps that they were taking to avoid future breaches, the impact would have been much less.”
It is too early to predict how the universities or Uber will be affected by these incidents. That said, Uber was fined $20,000 for failing to disclose a much smaller breach in 2014, and it must be bracing itself for a more substantial penalty this time around.
Whatever the fallout, the consequences of future breaches in this jurisdiction will be greater after the GDPR is introduced in May next year. By way of example, the ICO will have the power to fine organisations up to 4% of their global annual turnover.
Whether you are involved in a business, a charity or other entity, now is the time to ensure you have proper protocols in place. And bear in mind that the GDPR applies to everyone who holds personal data, no matter how small. The Information Commissioner's Office has a helpful checklist for getting ready on its website