GDPR one year on

Recent multi-million euro fines for breaches of GDPR have reconfirmed the need for a watertight data management strategy.

By Angela Craigan

Just over a year ago, one of the main concerns for businesses and organisations operating in the European Union was the impending implementation of the General Data Protection Regulation (GDPR). Its introduction in May last year brought major changes to the way personal data could be handled. The run-up to its implementation saw an influx of email requests from organisations requesting permission to hold data.

GDPR increased the obligations on those holding data to protect it and gave individuals more control over how their information is collected, used and stored. Businesses must ensure that all reasonable steps are taken to secure data, train staff and disclose breaches. They must be clear about how they use personal data. Individuals can demand to see what data is held on them and can also request that this data is deleted at any time.

Now one year down the line, with our GDPR policies embedded into our businesses, the recent news that British Airways has been fined £183 million by the Information Commissioner’s Office (ICO), closely followed by a notice of intent for almost £100 million for the hotel group, Marriott, reminds us all of the importance of making sure we are not falling foul of the regulations.

While the fines are huge, neither are the maximum amount that could have been levied by the ICO, which can fine up to 4% of annual global turnover or €20 million (£18 million) – whichever is greater.

Security arrangements

With British Airways, the breach was caused when hackers diverted users to a fraudulent website and harvested information such as login, payment card, name, address and travel booking information. With Marriott, personal data including credit card details, passport numbers and dates of birth had been stolen in a hack of guest records.

There was no issue in relation to reporting the breach; both were reported within the mandatory 72 hours of discovery. With British Airways, the problem was the fact that hackers were able to gain access to the information. The ICO reported that the data breach occurred because British Airways had “poor security arrangements” in place to protect customer information. This again highlights the importance of protecting the data we hold on individuals; it needs to be protected through its lifecycle. This will require working closely with IT departments or external IT suppliers to make sure the systems are water-tight. We also need to be very careful about the disposal of data and IT equipment that has held data.

Achieving compliance

The simplest way to ensure compliance is to have a data management strategy. This should set out what information you need, how long you need it for and where it is stored.

It is understood that with Marriott, the breach had already occurred in a hotel group it purchased prior to the sale, although it was only discovered last year. When considering the acquisition of another company, it is essential to make sure sufficient due diligence is carried out to ensure the company being acquired is GDPR-compliant.

Although these recent cases involve large global companies, the legislation applies to all businesses and organisations regardless of size. The data-rich information age that we all now inhabit has been the trigger for GDPR. As members of Chartered Accountants Ireland, the role we play in the organisations in which we work has always been built on a foundation of ethical behaviour and trust in all matters – including that of data protection. As a result, the foundation of our profession continues to be relevant in the midst of an ever-evolving business landscape.

Angela Craigan FCA is a Partner with Harbinson Mulholland, the accountancy and business advisory firm.