Let’s begin our discussion with a clumsy metaphor, if I may, in saying data is the food that nourishes many a successful business. Without data, many businesses wouldn’t function properly and would wind up very quickly. Now that large fines are being dished out, is it time for businesses to pay closer attention to how sensitive that data is, and to whom it belongs?
Absolutely. And I completely agree with your analogy. I’ve actually used that one a lot in the past, that food drives the business – you feed an animal bad food and the body will respond accordingly and die. So yes, now is the time to consider this. We’ve been in this game a long time and data has been around a long time. Personal information – as we’re all aware through social media, logging on and buying things online – is affecting everybody in all walks of life. The security around that is paramount. You may find that fines are high, but they’re few and far between. Certainly in the UK, the ICO – and probably quite rightly so – is hitting the big boys because they make the headlines; they get into the newspapers, that’s what people read, that’s what people see.
We’re talking about the likes of British Airways and Marriott Hotels here, aren’t we?
Absolutely. And with those two, that’s affecting people’s lives. I’ve had personal experiences with colleagues who were affected by BA and Marriott Hotels. They go hand in hand. You get on a plane, you go somewhere and stay at a hotel, which is invariably a Marriott at an airport. So the big fines are hitting the headlines, but let’s not forget that the smaller ones aren’t newsworthy, but they are in every sense just as important.
The one thing I would raise here is not so much the fines – you can almost budget for fines. I know it sounds horrible, but if you look at Facebook, their shares actually went up after they were allocated their $4bn fine, which was bizarre, but they had expected more. However, the one thing you can’t put a figure on is reputational risk. If your competitors see that you’re being investigated, let alone having a fine, they will use that. To recover from the news that someone has investigated, or that you’ve had a data breach … what that can do to the industry is unquantifiable. We’ve had situations in the past (I come from an investment banking background) where firms have been wiped out overnight because of reputational risk.
The common sense answer would be that you’re not having to answer to the legislator, you’re having to answer to the general public.
Indeed. And the general public are your customers. And in this day and age, which we see on the high street, the competitiveness to get customers coming to you is extraordinary. There’s so much competition out there. One piece of bad news, or one piece of misguided information, and you lose that overnight.
Document your processes
Let’s come back to the subject of fines and set aside the fact that companies put money aside to cope with them. I’ve read that reported breaches are around 85,000, and that number has probably changed since I read that. What about those companies that don’t have the big money to put aside?
The companies that don’t have the big money to put aside need to be very focused in how they control their data. We know the ICO will issue … well, if it’s a small breach, it can be 2% of last year’s total turnover, if it’s a large breach it can be 4%.
One piece of advice – and this is what 3ldc has been doing a lot recently in discussing with clients and customers – is that the ICO (and we’re focusing on the ICO because we’re the UK, but it’s the same with all supervisory authorities across Europe) are not really the bad people. They’re not out to get you. If you’re a small company and you can’t put this money aside, have processes documented, have procedures documented.
Everyone knows that with every regulation that comes out, you can never necessarily be 100% compliant. There will always be parts of your process, whether it be a legacy system or legacy process, or even just the people you have coming through your organisation – especially if they’re transient and just drifting through – where you can’t be 100% compliant. But if you can show to the regulator or the authorities that you are on course to be, and that you have procedures documented – yes you know there may be some gaps but you’re aware what they are – if you get a breach (and bear in mind they may not be the fault of the company), the single point of failure with everything is people like you and I. Human beings. You cannot guard against the stupidity of the human being! They don’t necessarily mean to do it, but that stupidity that is inherent in all of us is your single point of failure.
The ICO will not be the ones coming after you in that sense of being the bad guys. Show that you are in control and that you’re aware of your processes. If you have a breach, be aware and report it quickly. These will help you with the ICO. You may not even get a fine. You may just get, “Well thank you guys. Thanks for informing us. We’ll keep our eye on it and make sure you tighten your processes up.” You might just get a slap on the wrist. The ICO isn’t necessarily there to generate income … they’re not after every single penny from every single client.
Raising awareness of GDPR responsibilities
This comes back to the education side of things, and how seriously businesses take our data. The education of employees, so that they practice good GDPR skills and look after people’s data, has to come from leadership and management. If they don’t take it seriously, how do we encourage that?
That’s one of the things with GDPR: It’s the first time a regulation has actually named a person – there is a senior member (if the company is over a certain size) on the board or in the management committee that is a named person …
Like a ‘GDPR officer’?
Yes. So it’s above the data protection officer, which is a role you should have. It could be the chief finance officer, it could be the CTO, whatever … but it’s a named person the ICO has direct contact with. So if there is a particular breach, it’s not that you just get bogged down with bureaucracy in the company. The other side of that is that person has to be completely aware of what their responsibilities are. This is one of the things we push [at 3ldc]: awareness and training. It’s all well and good having your GDPR handbook on the shelf, but people really do need to know their responsibilities. They need to know how it affects you as an individual, and as an individual in that company.
You’re absolutely right in saying this is right to the top. If the top don’t buy into it, it’s very hard for that to filter down. As an example, I’ve been talking to some larger estate agents (I won’t name names). At the group level, shall we say, they’re very on the ball with GDPR. They have a data protection officer, they have a member of the board named for the ICO, and procedures in place. When you get down to the branch level, and bear in mind that some of these branches can be quite small with 2-5 people, are they fully aware? Are they completely compliant? How many times have you walked into an estate agent and found someone else’s file lying on the desk? That’s your point of failure. Obviously, people have to work at their desk and they will have documents open, but it’s at this level that awareness needs to be raised.
I read about heritage sites being asked to remove visitor books because they breach EU privacy and data protection rules! So the days of Jason Bourne being able to see who previously visited the building simply by ripping the page out of the visitor book are over!
Does that mean when Trump visited Windsor Castle and wrote his name in the visitor book, the Queen can now go and tear it out?
The challenges of the GDPR subject access request
Still taking about educating employees on good GDPR practice, there is also a matter of perception from the employee. I read research that showed one in three employees believe they have ownership over the data they’ve worked on for a company. So the data we pass over for them to do their job – a third of people believe they then own the data. That’s incredible!
That is incredible. Because of course, you don’t! That goes back to the days when, if you were in a sales role, when you leave and go to a competitor, you take your little red book with you or your list of business cards. I’ve worked for many investment banks and national management houses, and only one of those I worked for who, when I left, asked me to hand back all the business cards I’d been given during the course of employment there. I won’t say whether I refused or accepted. This was way back in the day, and they were right on the money. Those business cards and contact details didn’t belong to me. They belonged to me as a representative of the bank – not Nick Murphy.
It can go vice versa as well. The concept of sovereign identity is that you then say to that employer that you’d like to have returned every piece of data about me that you have, on the day that I leave.
This feeds directly into GDPR. One of the great things about GDPR when it first came in is that people said, “I’m going to write to my old university. I want a subject access request and I want them to find everything that was ever written about me.” And some of these people in their 70s, when they were at university it was all on paper, and there are probably documents still in the ledgers. It can be an awful challenge for a company to do that!
GDPR has brought some positives, but if you’re a company and you get hit by a subject access request, you have to turn that around in 30 days and you have to do it free of charge. And yes, you’re quite right: How do you go back and ensure you’ve deleted all of those emails and all of that correspondence that relate to the individual? It is a tough challenge.
It is. There’s also that education too – what companies know they should be doing and what they think they should be doing. You’ve just said about those data requests that were made. Did you read the story about the guy from the University of Oxford who contacted a bunch of companies to get as much information about his partner as possible? This was all done with his partner’s consent. He was doing it with the intention of highlighting how easy it is to facilitate a data breach simply by requesting the data. The companies didn’t really know what to do. They gave him so much information about his partner that they probably shouldn’t have.
Yes, it’s like over-compliance. They think they’re being very clever in complying completely with the rules and regulations, but potentially incurring a breach to the company in so doing.
And ironically PwC being fined in Greece recently for how it handled the processing of employee data, when PwC itself advises companies about GDPR best practise!
Motor finance and third party data sharing
Let’s come back to improving the process. We’ve talked about a number of the pain points and what needs to be done, and the human element and how we improve it. If we take the motor finance industry, buying a car is a bit like buying a house – which we’ve both done very recently – in that you come into contact with a lot of different companies in order to process the buying of the car. There’s the dealership, the finance company, the insurance company and so on. You data is shared across so many different places. This has to change in order for our data to be truly protected by the likes of GDPR legislation, right?
Yes. There are aspects of GDPR that are obviously … you can retain the data or share the data if it’s part of your normal business process in the sense of you’re buying a car and you want finance for the car, and you agree to have finance. Obviously the car showroom isn’t running finance – they would have third party finance, and your data has to be shared because you couldn’t conduct that business process or receive that service without sharing it. The whole area of third parties, which I guess is where you’re steering it to, is a tricky one. It’s when third parties potentially use that data for other reasons, or store it for longer than they should, that it starts to become an issue.
One of the greatest areas I’ve seen in recent research is with third party marketing companies. Again, within the ICO, this is going to be one of its areas of focus, where data has been taken by third parties, obtained by a third party for the right reasons because when you’re buying a car you need finance, insurance, so that’s two other third parties, and you might need servicing and so on. When those companies then use that data for marketing … they’ve obtained the data legally to provide that business service, but when they start to use that data for other purposes, or to pass it on to other people, that of course is completely illegal. And that’s one area that’s growing that the ICO is focusing on.
In a sense, it’s what happened with Cambridge Analytica. They obtained data, then used it for reasons that were not agreed in the initial obtaining of the data. This is an area the ICO are looking into. To actually look at the discussions and consultations they’ve had with people recently, that’s an area that’s going to grow. And if you’re in that business, the marketing business is a tricky one, because if you’re in that business of obtaining data and needing to share it, that’s one you should really be aware of and understand before you start sharing it.
We’re a year in now and there are two main things to look at as a company that has data. Be aware and understand why you’ve got it, be aware of and understand the service you’re offering, and constantly review the data you hold. You may hold data on someone you don’t need anymore. Clear it out. Delete it. Gone are the days when you can just say, “Oh it’s stuck in a filing cabinet, it doesn’t really matter”. No. If you’re not providing a service and you don’t have to hold it for legal reasons …
… For other people to look at, and whoever’s looking at it within the business who has access to the data …
Yes. Going back to what we said at the beginning, if you start to do this, you may not be able to clear all of it out. But if you’re aware of it and something happens where the ICO come after you, you can say you are in the process of clearing the data out: “We did hold records for 15 years and only needed them for three years, but we’re in the process of clearing it out.” If someone makes a complaint, at least you can show or understand how you should be compliant and you’re actually making steps towards that.
Everyone is responsible for protecting people’s data
A lot of it isn’t malicious sharing of data. Accidental sharing is just as serious a breach.
It is! One of the senior guys at 3ldc overheard this wonderful conversation on the train, and he won’t mind me repeating this as he’s quite proud of overhearing it. There were a couple of cleaners on the train and they’d worked for an estate agency firm and one of them said, “You’ll never believe it. I got in trouble with the manager. We were clearing out some of the rubbish from the bin and putting it in clear plastic bags and putting them on the street.” Nothing was shredded. A policeman came along, looked at these clear plastic bags and could quite easily see the bank statements and PII data in these bags (personally identifiable information). He went in to see the manager and said, “You do realise this is technically illegal”. The cleaners got into trouble. If you are going to do that, at least use black plastic bags, not clear plastic bags!
Again, that wasn’t malicious. They’re just doing their job. They’re told to clear the bins. Someone in the office should have shredded it, but it comes back to that point where it’s not malicious, but it’s that human factor again.
The anecdote highlights that it’s everyone in the business. Everyone who comes into contact with the business, every level is responsible for protecting people’s data.
And as we have the newspaper headlines – the BAs and Marriotts – people are realising they can actually raise issues of complaint. Recent statistics show complaints to the ICO are in excess of 200,000. If you were to go back two or three years, the statistics wouldn’t have been anywhere near that. And reported data breaches are 85,000 to nearly 100,000 so far in Q1. This is purely and simply because people are more aware of their rights, like you and I, who have read the newspapers and are more aware of it.
That policeman could have raised an issue or raised a complaint. Those ladies were just doing their cleaning jobs. No one told them to use black plastic bags and that everything should be shredded. That could have raised a complaint.
GDPR, cybersecurity and simple steps
How can technology play its part in mitigating human error in handling data?
Well, you’re never really going to get away with human error. But, to mitigate it … GDPR is just one element of the whole info cybersecurity framework. It’s just one piece of armour against it. I think one thing to look at is basic, simple protection. If you have in your company or your office issued laptops and mobile phones, encrypt them. Have data encryption. Have password protection. If that laptop gets lost and the hard drive is encrypted and password-protected, even if it has everyone’s personal information on it, it would not constitute a data breach because you have taken those steps.
There are simple things we can do. I know some companies are refusing to issue their staff with intelligent devices – going back to a phone being a phone! – and are not allowed to take laptops off-site. But even then, secure your premises. Don’t have a back door open because it’s 35ºc and it’s unusual in this English summer.
Reduce the amount of paper you hold.
Reduce the amount of paper, yes. We work with a company that does email encryption protection, and it’s simple but very good. If I send you an email and I accidentally send it to Shaun Watson instead of Shaun Weston, I can withdraw that. There is software out there that can give you more control over email.
I notice Gmail just introduced ‘confidential mode’, haven’t they?
That’s right. So these are simple steps you can take. They don’t cost a lot of money. In some cases, they’re free. You will always send an email to the wrong person – it’s going to happen. But if you’re sending sensitive email, there are tools out there that you can plug in. There was one classic example where I was working at a bank, and a person in the HR department – instead of sending salary details to one person who’d asked for them; “Could you please give me details of my salary and my account” – managed to forward the salaries of every single member in the company. That’s 85,000 employees. Sent to all 85,000 employees! Again, that’s just because they’re using a normal in-house company email system with no encryption and no protection.
I’m going to come back to that clumsy metaphor we both like, about food. GDPR Certification is on the horizon. Sounds a bit like the ratings you might see from the Food Standards Agency on a restaurant window. Will it work like that?
Interestingly with the Food Standards Agency and their 1 to 5, there’s no legal obligation to put that in the window. Generally, if you have a four or five, stick that in the window. It’s a good advertising concept. But if you have a one to a three, how many restaurant windows you walk past say they have a rating of one? It’s not a legal requirement to put it on the window. You can only assume that if they don’t have it on the window, they’re probably less than four.
And the same will apply to GDPR Certification.
Exactly, yes. It can form part of how you choose which estate agent you go to. But at the end of the day, if a person’s got a product you want, ie that house going through that one agent, and they don’t have a very high rating, I suppose it gives you that choice. Do I take the risk? All of these things are important and helpful to customers, but the bottom line as advice to people is common sense. Don’t leave documents lying around. Be aware of what’s in your workspace in front of you. Keep your own processes tidy. Be aware of what you’re doing and understand why you’re doing it. It’s all about awareness.
And as a manager, ensure your staff are trained. Don’t run training programmes once a year. If you get new people in, don’t make it a checkbox. Sit down, talk people through it and make them aware of what they’re doing. Would you leave your bank card with your PIN number on the pavement outside? No. That’s essentially what you do when you’re looking after personal information.