I recently headed off on holiday, looking forward to leaving all thoughts of work behind for a while. Instead, I came across issue after issue around the security of my personal data that brought home some shocking truths about the realities of how the General Data Protection Regulation legislation (GDPR) is being implemented.
It started at the airport where my flight was late landing, so I missed my connection. As part of the compensation process I had to go to the airline’s customer service desk to file a complaint. I was horrified to find out that, rather than filling out a digital form, this involved writing my contact details into a ledger underneath rows and rows of other people’s personal information. Had I wanted to, I could easily have stolen their details.
I put this breach of GDPR down to a one off failure — even though I was surprised at an organisation the size of the airline making such a glaring mistake — and got on with enjoying my holiday… except another incident occurred as soon as I got to my hotel. The receptionist asked to borrow my passport to take a copy of it and she looked totally confused when I told her that was against the law.
I wanted to visit some volcanic caves but, before I could go in, I was asked to write my details down in a log book and, as with the airline, everybody else’s personal data was available for me to see — and steal, if I’d been so minded. And this was a government-run attraction! It seemed GDPR breaches were happening everywhere; each of the four companies I used for whale-watching trips had the same insecure and illegal log book system.
Surely that would be the last GDPR issue I’d encounter? Unfortunately not. I went to hire a car and there was no one at the customer service desk when I got there — but there were lots of completed forms just lying out on the desk, all of them containing other customers’ personal data.
The frightening conclusion I came to during my holiday is that breaches like these are most likely happening everywhere because GDPR hasn’t become a reality yet — even though it’s been in operation since May.
In every example I gave, the only thing that protected my data was my own vigilance and knowledge of the law. I’m sure that all the companies I dealt with had data protection policies in place — at a head office level — but perhaps it was just a tick box exercise? It was obvious that this knowledge and awareness hadn’t filtered down to the people on the front line. And those front-line breaches are what could, if picked up by the regulator, cost the companies huge fines. Remember the maximum fine is up to €20 million or four per cent of annual global turnover, whichever is higher. Organisations need to be living the values of the law in every aspect of their business.
This data protection issue is just one ‘small’ (but potentially expensive) example of the importance of knowing where your data is and how you control and protect access to it, and by whom. Across your whole security remit you need to know that your approach is sufficient, and that you can demonstrate the validity and effectiveness of your efforts — from the top of your organisation right down to the people on your front line.
The gap I spotted between GDPR policy and practice on holiday can happen in any organisation handling data — and could be happening in your organisation, right now. Ensuring you’re compliant with regulations is a constant battle, and it requires a disciplined process to assess your current level of compliance as well as any steps you need to take to resolve any discrepancies. However, from what I saw on holiday, I believe that that’s only the beginning. Once you’ve corrected any discrepancies you then need to start an educational awareness programme throughout your organisation to make sure everyone is living your security values.
Here at BT, we’re happy to share our expertise on getting your data security right. A great place to start is by downloading our whitepaper: Check you’ve got the right security in place for your GDPR journey and our security ebook.