By Andy Bridges, Data Quality and Governance Manager at REaD Group
The Gemalto Breach Level Index (BLI) recently published some rather concerning findings – more data records were leaked or stolen in the first half of 2017 than in the whole of 2016. An even greater cause for concern, and perhaps somewhat surprising, the report also revealed that the most common cause for data breaches was accidental loss and data being inadvertently left exposed.
While attacks by cyber criminals make for more compelling reading, more attention needs to be brought to internal threats such as accidental loss and other acts of negligence. If nothing else, the BSI report highlights that UK data security culture is in serious need of an overhaul. So how exactly can businesses better protect themselves?
However much we like to believe that information breaches are largely the result of strategically orchestrated attacks by criminal masterminds, the truth is generally far less dramatic. They are frequently the result of human error, such as misplacing hard drives, bad password management, careless file sharing or lack of vigilance to the increasingly prevalent phishing emails. All can be easily prevented.
More than anything, businesses must incorporate information security into office culture – protecting information is no longer the sole responsibility of IT and compliance departments; data security is a companywide responsibility.
As a first step, staff should be trained on a regular basis to ensure that everyone understands best practice in the workplace. The HR policy should also be altered to reflect the fact that responsibility doesn’t lie solely with IT to instigate better behaviour.
Additionally, employees should be on the lookout for potential threats to information security, such as leaving computer screens unlocked and leaving confidential paperwork unattended, and should be encouraged to self-police. Implementing a clean desk policy is a good first step towards safeguarding confidential information.
In order to better protect an information estate, companies need to understand what information they have. As well as ensuring that data is clean, viable and that all relevant permissions and consent are held for the data, companies must also ensure that the appropriate data protection and information security practices are in place. It states in Recital (100) of the GDPR that:
‘In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.’
It is not currently compulsory to report a data breach, but once GDPR comes into force next year, all companies must report a data breach to the Information Commissioner’s office within 72 hours. In addition to risking a hefty fine, companies will also stand to incur the longer-standing loss to their reputation.
With this in mind, it seems highly probable that we will see an increase in breach reports – most likely not due to an increase in breaches, but because companies will have much more incentive to be transparent and open about such occurrences.
Overall, GDPR presents a great opportunity for UK businesses to step up their data protection strategies and better protect themselves against data breaches. The new regulation stipulates that companies will have to be much more rigorous in their approach to collecting, storing and using customer data – which should correspondingly see a vast reduction in accidental loss. Inevitably, this increased transparency will result in a more trusting and loyal consumer.
It is now less than 6 months until GDPR is introduced, and the more earnest businesses are to prepare and implement the necessary data protection strategies, the sooner we will see a significant reduction in the number of data breaches.
By Scott Logie, MD, Insight at REaD Group
In the ongoing race to maximise compliance and pip GDPR to that ever-encroaching finish line, the whispers and concerns over its implications continue to reach fever-pitch.
Earlier this year, the Information Commissioner’s Office (ICO) made an example of the Exeter-based airline Flybe by enforcing a sizeable £70,000 fine. The airline incurred this by sending millions of marketing emails to customers who did not wish to receive them; the ICO have made it very clear that when it comes to consent infringements – they’re taking no prisoners. ICO head of enforcement, Steve Eckersley stated that Flybe “deliberately contacted people who have already opted out of emails from them” by asking if they wanted to update their preferences, which he stressed is still a form of marketing.
It is therefore hardly surprising that many travel companies have begun to feel apprehensive about their ability to communicate with their customers come the day of GDPR reckoning (May 2018). With fines such as the one sustained by Flybe becoming more prevalent, this only emphasizes the necessity for companies to obtain consent from consumers. Consent essentially entails an individual providing approval for the processing of their personal information. The bottom line is that travel companies, and indeed all businesses alike, will have to be far more transparent if they hope to avoid harsh sanctions from an unforgiving ICO.
Initial guidance provided by the ICO suggests that a pre-ticked opt-in box will no longer constitute legally attaining permission. In lieu of this, unequivocal and unambiguous consent must be attained through active opt-in protocols; the box must be empty to begin with. Moreover, comprehensive details of how this data will be used must be provided. Contrary to the current system, consent requests must under no circumstances be hidden in the Narnia of terms and conditions or be a precondition of subscribing.
Admittedly, marketing strategies may require a bit of adjustment, but in the long run these new regulations should be seen as a positive change for both customers and operators alike. While it may ultimately result in a shrinkage in the size of marketing databases, the overall quality and saturation of amenable and valued customers within them shall undoubtedly increase. Those who have willingly shared their personal information will prove more beneficial to marketers than those who have been duped into giving permission. Consumers are more than happy to part with their details as long as they perceive that they are receiving a tailored and personal service in exchange. With regard to Travel companies, details on a customer’s budget, lifestyle and favourite destination can be used to provide the kind of customer service that consumers have come to expect.
On the other hand, it seems likely that smaller companies and those that have already fallen under the ICO cosh may struggle somewhat more than household names to convince consumers to part with their personal data. Nonetheless, there are certain measures that all travel operators, irrespective of size or reputation, can implement to limit any negative effects of GDPR.
The most effective course of action might be to devise highly targeted marketing campaigns that demonstrate to consumers the benefit of consenting. Personal offers and relevant streams of contact can be instigated once Travel companies have segmented their customer database into smaller groups based on factors such as interests, favourite destination and budget. How soon should you do this? The sooner the better; GDPR waits for no man.
Once the swirling dust and initial shock of GDPR has settled, companies should find that they are left with a more succinct database consisting of receptive customers. Which, truth be told, is an infinitely better prospect than a larger spread of individuals who weren’t aware that they had consented in the first place. By conducting these highly targeted campaigns, travel operators can seize the opportunity to demonstrate the value exchange in sharing information and strengthen relationships with their existing customers before GDPR’s implementation. This may seem like an extreme alteration in approach, but travel companies should find that if they navigate these unchartered waters effectively – treasures and bounty await.