This blog has been updated to reflect industry updates. Originally published December 2017.
With the number of data breaches increasing every year, they are now a huge issue for organisations. 46% of all UK businesses identified at least one cyber breach in the past 12 months and the International Data Cooperation predicts that a quarter of the world’s population will have been affected by a data breach by 2020.
It should be obvious that it’s a priority for companies to learn how to keep data secure.
How are breached businesses affected?
A business suffers in many ways when it falls victim to a data breach, one of which is dealing with the financial repercussions.
There are a range of different costs associated with a data breach, such as paying back any money taken as a result of the breach, compensating affected customers, share value plummeting and having to pay for the right protection to ensure a breach doesn’t happen again.
In addition, breached companies can be fined by the ICO (Information Commissioner’s Office) with penalties reaching a maximum of €20 million (about £17 million) or 4% of global annual turnover, whichever is greater, under the GDPR (General Data Protection Regulation).
After paying off fines, the breached company also has to deal with reputational damage. Breaches have a massive negative impact on a company’s customer base, particularly if the breach involved sensitive data. Customers lose confidence in the brand and don’t feel that their data is secure. A breach also puts off potential customers.
The impact of a breach is tied to the type of data involved. If the organisation’s confidential data has been exposed, it can have catastrophic effects. If personal and financial details of staff and customers are breached, those people are left open to the risk of identity theft.
In 2015, TalkTalk suffered a data breach in which the details of more than 150,000 customers were stolen, including bank account details of about 15,000 of those customers. The company lost 95,000 subscribers as a result of the attack, costing it £60 million. On top of that, TalkTalk was also fined £400,000 by the ICO.
However, things only got worse for TalkTalk. In 2017, the details of more than 21,000 people were unlawfully taken. The company was fined £100,000, but if this breach occurred after the GDPR had taken effect, TalkTalk would almost certainly have received a significantly higher fine.
Then, last week, a BBC investigation revealed that the 2015 data breach was worse than initially thought, with another 4,500 customers’ names, addresses, dates of birth, email addresses, account numbers and bank details all found accessible online through a Google search.
Protect your organisation with a DPO
To help organisations tackle the threat of data breaches, the GDPR requires certain organisations to appoint a DPO (data protection officer). They are independent data protection experts who help organisations meet their regulatory obligations.
DPOs’ tasks include monitoring an organisation’s data protection policies, advising management on whether DPIAs (data protection impact assessments) are necessary and serving as a point of contact between the organisation and its supervisory authority.
Although not every organisation is required to appoint a DPO, many experts – including the Article 29 Working Party – believe all organisations will benefit from assigning someone to take on the DPO’s responsibilities.
Finding someone with the right experience can be tricky, though, which is why many organisations are turning to third-party help.
DPO as a Service
Our sister company GRCI Law Limited is a legal consultancy specialising in data protection and cyber security.
Under its DPO as a service offering, a qualified, experienced member of the team will act as DPO for your organisation. The role of the DPO is to monitor your data protection activities and compliance with the GDPR, and to offer advice on a day-to-day basis.