Why it’s more important than ever to keep your customers data safe.
18th October 2016 by Luke English
Businesses should already be well acquainted with the Data Protection Act 1998, which is older now than some pop stars. As such, companies should know that they are required to take “appropriate technical and organisational measures against the unlawful or unauthorised processing of personal data” (for example, their customers’ bank details and their employees’ contact information). This is also known as the seventh data protection principle.
Yet the recent ruling by the Information Commissioner’s Office, whereby it issued its biggest monetary penalty to date of £400,000 to TalkTalk, shows how even sizeable and rather high profile companies are forgetting the importance of this obligation.
For those of you who aren’t aware, TalkTalk’s customer database was hacked in October 2015 which compromised the personal data of over 150,000 customers. After investigating the matter, ICO discovered that TalkTalk had taken insufficient steps to prevent their database from being subjected to this type of cyber attack.
The ICO recognises of course that what may be “appropriate” for one business may not be appropriate for another. A sole trader who stores the email addresses of his 80 or so customers on a laptop will not be expected to go to the same extremes as a multi-national PLC that holds extensive information about its clients on dozens of different platforms. When considering this particular incident however, it took into account the number of individuals affected, the sensitivity of the data that was being stored, the potential consequences of the breach for the data subjects and the fact that TalkTalk should have realised that a breach like this was likely to occur. As such TalkTalk was found to be in breach of its duties.
This ruling shows that now is a good a time as any to take stock of the personal data you hold and the steps you are taking (and could / should take) to prevent it from being stolen. This could be physical steps (such as keeping cabinets locked) through to technical steps (encrypting data) or practical steps (training staff about the importance of data protection). Whilst there is no “one size fits all”, this places an onus on each business to reflect on the measures it needs to put in place rather than an excuse to avoid responsibility for the safekeeping of the data it holds.
If you would like any advice on data protection law then please contact Luke English at firstname.lastname@example.org or on 01202 557256.