Every business has a duty of care for the personal data of its customers, suppliers, and staff.
The law enshrines it in the General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the PECR, and any data breach must be reported to the relevant authorities, generally within 72 hours. In the UK, that’s the Information Commissioner’s Office (ICO).
Every data protection officer, owner, manager, and CEO should also know there are common mistakes which businesses make that could lead to an investigation by the ICO – and that could lead to a fine.
The damage to your business’s reputation could be even more costly than a fine. Potential customers could go elsewhere if they fear their data won’t be handled securely, and data subjects whose information was involved in a breach could launch costly legal actions against your business.
Here is our guide to the four most common data protection mistakes:
1. Problems with cyber security.
Hackers can cause major problems for any business.
If they gain access to your systems, they could steal personal data such as names, addresses, emails, banking details, and national insurance numbers.
An airline fell victim to a brute force password attack which was discovered in 2018. The airline called in a cyber security firm and reported the matter to the ICO.
The ICO investigated and found that between 2014 and 2018 the airline’s computer systems “lacked appropriate security measures which led to customers’ personal details being exposed, 111,578 of whom were from the UK, and approximately 9.4 million more worldwide.”
Malware to harvest data had been installed after a hacker entered a server connected to the internet.
Passengers’ personal details such as names, dates of birth, passport and identity details, postal and phone numbers, email addresses, and travel information histories were stolen.
The investigation found that internet-facing servers were unpatched, operating systems which were no longer supported by the developer were used, anti-virus protection wasn’t adequate, and back-up files had not been password protected.
An ICO spokesman described finding “multiple serious deficiencies”. The airline had failed on four out of five of the basic Cyber Essentials guidance from the National Cyber Security Centre.
The airline had, though, sought expert assistance from a leading cyber security firm, it had issued the appropriate information to individuals affected by the data breach, and it had co-operated with the ICO investigation.
It was fined £500,000 for failing to protect customer personal data as the ICO investigated this case under the Data Protection Act 1998.
Even point of sale terminals can cause businesses hacker headaches.
In January 2020, the ICO fined a UK-wide retail chain £500,000 after a cyber attacker installed malware on more than 5,300 tills.
Personal data was collected for nine months between 2017 and 2018. The data breach affected at least 14 million people and involved 5.6 million payment card details.
The company was found to have breached the Data Protection Act 1998 because of “poor security arrangements and failing to take adequate steps to protect personal data”, the ICO said.
Vulnerabilities found included the lack of a local firewall, inadequate software patching, a lack of network segregation, and a lack of routine security testing.
The ICO said the affected customers were left vulnerable to theft and identity fraud. By March 2019, the company reported almost 3,300 customers had contacted them about the data breach.
2. Unsolicited marketing calls.
Telephone marketing is governed by GDPR and the Privacy and Electronic Communications Regulations (PECR).
So, you need to think about the lawful basis under which you’re holding phone numbers and names for GDPR and processing it for marketing, which can either be by consent or for legitimate interest. There are, however, conditions and requirements which must be met with these bases.
You must also remember that PECR lays down tight rules for sending marketing text messages or emails, and for telemarketing calls.
It says you must not send marketing texts or emails to individual subscribers without specific consent (this can include sole traders and some partnerships), unless there is an exemption.
This would be you’ve got the details because of a sale or sale negotiations, you’re marketing your own similar services or products, and you gave them an opt-out opportunity when you first collected the information and then every single time you communicated with them.
So, you may be able to text or email your own customers without consent, but not your prospective customers.
Unsolicited calls, however, are a more emotive subject for many people, something which recipients can find irritating or troublesome, especially if they are silent or repeatedly abandoned calls. The makers of silent or repeated calls be reported to Ofcom which can also issue fines.
The PECR says businesses must not make marketing calls to people who have told you them don't want their calls.
They should also not be made to any numbers which are registered with the Telephone Preference Service or the Corporate Telephone Preference Service.
Failing to do this can lead to an ICO investigation.
In 2019, a Swansea double glazing company was fined £150,000 after it called people whose numbers were registered with the TPS and who had not given their consent.
The unsolicited calls attempting to generate leads for UPVC installation were made over 11 months.
The ICO also issued an enforcement notice telling the company to cease the calls which breached the laws governing electronic marketing.
This followed a £160,000 fine for a Scottish boiler replacement company just weeks before.
The Scottish company had made 853,769 calls to people registered with the TPS in a seven-month period in 2018 after buying in data from a third party.
It was also served with an enforcement notice.
3. Sharing data without the subject’s proper consent.
Businesses should also beware sharing personal data without getting the subject’s proper consent.
Before you do, you should carry out a Data Protection Impact Assessment and have a clear agreement in place about what will happen to that data.
You should also ensure you’re complying with both GDPR and the DPA 2018.
Failure to do so could be costly. Read the data sharing code here.
In 2019, a UK-wide pregnancy and parenting club was fined £400,000 after it breached the previous Data Protection Act 1998.
It had collected personal information at membership registration via its website and its mobile app, through claim cards for packs of merchandise, and from new mothers in hospital.
However, the company was not fully clear with people at data collection that it also supplied data to third parties for electronic direct marketing. It shared personal information with 39 organisations between 2017 and 2018, including marketing agencies and credit referencing companies.
More than 34 million records were shared.
The personal data shared included information from potentially vulnerable new mums or mums-to-be and data about new-born children. This included the sex of a child and their birth date.
The ICO found the club’s online privacy notices had a reasonably clear description of the organisations with which they might share information. However, none of the four largest data recipients were listed.
However, none of the claim cards or registration methods offline had an opt-in for marketing.
The ICO said they were “not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations.”
4. Not securing data in waste documents or hard drives.
When we clear out documents, old hard drives, or old removable media such as USB sticks and image cards from cameras, we need to be aware that they can all contain personal data.
This can be used by ID thieves or hackers to damage our businesses.
Thieves can steal information about staff, clients, and suppliers which could be used to steal from them or from us.
Documents could contain passwords or system data which would allow hackers to breach our systems and cause havoc in our businesses.
So, everything we throw away which could contain personal data must be dealt with securely.
This is especially important for special category data under GDPR, such as information about race or sexual orientation, medical records, political views, or whether someone is in a union.
Otherwise, we could end up like one London pharmacy business which was fined £275,000 in 2019 for failing to ensure the security of special category data.
It left around 500,000 documents in unlocked containers at the rear of its premises.
The documents dated between 2016 and 2018 included names, dates of birth, addresses, NHS numbers, prescriptions, and other medical information.
The ICO also issued the pharmacy with an enforcement notice.
The pharmacy could have avoided this fine by simply ensuring its waste documents were kept under lock and key and then shredded securely.
Hard drives and removable media can also be destroyed to ensure someone does not retrieve information we think we’ve deleted from them.
So, what’s your best defence against these four mistakes?
The best way to ensure your business doesn’t count the cost of these common errors is to set up robust data protection protocols in your business and train your staff well to comply with them.
The best starting point is a data protection audit by a professional, such as ours at IOLIS, which will show you the business’s strengths and weaknesses.
The specialist will audit your data protection framework and how your policies are implemented.
They will flag up issues before they blow up with a complaint and they’ll help get your organisation into the best shape possible.
Audits usually take around a day on site for an average sized business and include a written report.