Information Commissioner’s Office (ICO) announces its intention to fine British Airways for a data breach under GDPR
The ICO have just published its Notice of Intent to fine British Airways £183.39 million for infringements of the security principle of GDPR. The breach was disclosed by the airline back in September 2018.
While the ICO has merely published its intention and no actual fine has been imposed, the fact that the ICO has published a Notice of Intent suggests that it has enough evidence of the breach to keep British Airways on the hook.
The ICO’s investigation found that a variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details, as well as the name and address of customers.
A year has passed since GDPR came into force. In our recent webinar, Director of Course Development Nick Henderson and Data Protection Officer Ruth Cohen looked at how businesses dealt with GDPR. Ruth gave guidance on how to make sure your organisation maintains compliance as the regulation enters its second year.
The webinar covered:
A review of the requirements under GDPR
How often should staff be trained on GDPR?
What measures should be taken to maintain compliance?
How to avoid data breaches and what to do in the event of a breach
The EU’s General Data Protection Regulation (GDPR) has now been in force for a while. The regulation increases the responsibility and liability of organisations, with hefty fines having already been handed to Google by French authorities and other giants such as Whatsapp and Facebook facing investigations.
How often should staff take GDPR training?
The Information Commissioner’s Office (ICO), the UK’s data protection authority, spells out that staff must be trained, and regularly. The ICO states:
The GDPR requires you to ensure that anyone acting under your authority with access to personal data does not process that data unless you have instructed them to do so. It is therefore vital that your staff understand the importance of protecting personal data, are familiar with your security policy and put its procedures into practice. You should provide appropriate initial and refresher training.
GDPR has been law across Europe since 25 May, 2018. It represented a sea-change in how companies must treat data. For any complex regulation, training is one of the best ways to mitigate the risk of things going wrong, and support staff to do it right. Online training is particularly effective when it comes to GDPR training because data protection is about the practical, every-day requirements of keeping data safe and secure.
An ongoing programme of effective GDPR training has many benefits, including:
Increased job satisfaction amongst employees who know they are following best practice across the board
Improved processes and procedures inside the organisation
Reduced maintenance costs
Improved consumer confidence and trustworthiness
Better data security and reduced risk of a data breach
Potential to enhance the reputation of the company as being at the forefront of data protection
Compliance with the General Data Protection Regulation (GDPR) is an ongoing process. Organisations should regularly review and update their policies and data collection processes, as well as take training. The best way to refresh staff’s knowledge is to enrol them in a new course around once a year, rather than simply ask them to take the same course they took a year ago. As we approach a year since GDPR came into force, VinciWorks will be adding a new course to the GDPR training suite that includes both refresher training and advanced modules.
How does the course work?
The recommended use of GDPR: A Practical Overview is to put all staff through the basic six modules, and to add advanced modules to specialised staff in certain departments. However, the course can be customised to provide any number of modules in a variety of combinations depending on your industry and data protection training needs.
The General Data Protection Regulation (GDPR) has been in full force across the EU since 25 May 2019. As of 25 January, 2019, eight months to the day since GDPR came into force, national data protection authorities reported nearly 100,000 complaints from concerned citizens. Google has already been fined by French authorities and several social media giants are currently being investigated.
The law applies to all businesses with customers in the EU, no matter where in the world they are based, and mandates much stricter data protection rules than ever before.
GDPR compliance should be an ongoing process and business must regularly review and, when necessary, update their policies, procedures and training to maintain compliance.
As a companion to our GDPR training suite, we have updated our GDPR compliance guide. The guide is suitable for both organisations who are fully compliant and would like to review the requirements of GDPR and those who have yet to reach full compliance.
Is free will an illusion? Determinist philosophers might think so. Ancient Greek thinkers Leucippus and Democritus were two of the first to theorise that all processes in the world were due to a mechanical interplay at an atomic level, precluding the idea of human beings exercising any kind of free will in a universe operated by deterministic forces.
Aristotle, however, stated that we have the power to do or not to do, and free will can exist when we are aware of the particular circumstances of our actions. However, he still left unanswered the question of defining the choices we make based on causes outside of our control.
As we approach a year since GDPR came into force, in a recent webinar we revisited our popular GDPR Mythbusters series with a new round of questions and answers about data protection. Our Director of Best Practice Gary Yantin and Director of Course Development Nick Henderson answered the following questions:
Was the General Data Protection Regulation handed down on tablets of stone? Were its articles intended to be revered, venerated and feared for all time? Or, as many businesses might prefer, is GDPR more of a set of guidelines, good ideas for living a moral life that don’t really matter if they aren’t actually followed?
One could be forgiven for mistaking some GDPR compliance professionals for wandering clerics; preaching the gospel of data protection and warning of the world to come. Yet, like every prophecy, the date of the apocalypse came and went, and nothing much happened… Or did it?
VinciWorks has revisited our popular GDPR mythbusters series to separate the data protection facts from fiction.