GDPR already isn’t working

Written by BT on 15 October 2018 in Sponsored Article
Sponsored Article

The policies may be in place, but is it happening in practice? BT's Bas de Graaf looks at the reality of GDPR today

Holiday data security horrors

I recently headed off on holiday, looking forward to leaving all thoughts of work behind for a while. Instead, I came across issue after issue around the security of my personal data that brought home some shocking truths about the realities of how the General Data Protection Regulation legislation (GDPR) is being implemented.

It started at the airport where my flight was late landing, so I missed my connection. As part of the compensation process I had to go to the airline’s customer service desk to file a complaint. I was horrified to find out that, rather than filling out a digital form, this involved writing my contact details into a ledger underneath rows and rows of other people’s personal information. Had I wanted to, I could easily have stolen their details.

I put this breach of GDPR down to a one off failure — even though I was surprised at an organisation the size of the airline making such a glaring mistake — and got on with enjoying my holiday… except another incident occurred as soon as I got to my hotel. The receptionist asked to borrow my passport to take a copy of it and she looked totally confused when I told her that was against the law.

I wanted to visit some volcanic caves but, before I could go in, I was asked to write my details down in a log book and, as with the airline, everybody else’s personal data was available for me to see — and steal, if I’d been so minded. And this was a government-run attraction! It seemed GDPR breaches were happening everywhere; each of the four companies I used for whale-watching trips had the same insecure and illegal log book system.

Surely that would be the last GDPR issue I’d encounter? Unfortunately not. I went to hire a car and there was no one at the customer service desk when I got there — but there were lots of completed forms just lying out on the desk, all of them containing other customers’ personal data.

GDPR is not reaching the front line

The frightening conclusion I came to during my holiday is that breaches like these are most likely happening everywhere because GDPR hasn’t become a reality yet — even though it’s been in operation since May.

In every example I gave, the only thing that protected my data was my own vigilance and knowledge of the law. I’m sure that all the companies I dealt with had data protection policies in place — at a head office level — but perhaps it was just a tick box exercise? It was obvious that this knowledge and awareness hadn’t filtered down to the people on the front line. And those front-line breaches are what could, if picked up by the regulator, cost the companies huge fines. Remember the maximum fine is up to €20 million or four per cent of annual global turnover, whichever is higher. Organisations need to be living the values of the law in every aspect of their business.

Put the right data security in place

This data protection issue is just one ‘small’ (but potentially expensive) example of the importance of knowing where your data is and how you control and protect access to it, and by whom. Across your whole security remit you need to know that your approach is sufficient, and that you can demonstrate the validity and effectiveness of your efforts — from the top of your organisation right down to the people on your front line.

The gap I spotted between GDPR policy and practice on holiday can happen in any organisation handling data — and could be happening in your organisation, right now. Ensuring you’re compliant with regulations is a constant battle, and it requires a disciplined process to assess your current level of compliance as well as any steps you need to take to resolve any discrepancies. However, from what I saw on holiday, I believe that that’s only the beginning. Once you’ve corrected any discrepancies you then need to start an educational awareness programme throughout your organisation to make sure everyone is living your security values.

Here at BT, we’re happy to share our expertise on getting your data security right. A great place to start is by downloading our whitepaper: Check you’ve got the right security in place for your GDPR journey and our security ebook.

See how our knowledge and network can help you make smarter decisions about your digital future.

Download BT's latest report Dispelling the myth: future networks

Bas de Graaf is head of ethical hacking services at BT

Share this page


Related Articles

Related Sponsored Articles

The rapid, low-risk cloud transition solution for Oracle customers
1 March 2021

Jointly, Equinix and Cintra enable organisations with mission-critical Oracle workloads to accelerate their journey to cloud, while minimising transition risks - here's how

How digital is helping Defence Medical Services re-imagine HM Armed Forces healthcare
3 February 2021

Defence Medical Services (DMS) is pursuing ground-breaking digital, data and technology transformation which will revolutionise Tri-Service healthcare provision to over 135,000 Armed...

How Your Privacy Program is a Competitive Differentiator
29 January 2021

OneTrust presents the reasons why your organisation should invest in privacy management - and offers three easy tips for getting started 

Email security incidents happen every 12 hours – it’s time to close the gap in Microsoft 365
21 January 2021

The remote-first world has seen email being relied on more than ever as a core communication mechanism - but with 93% of IT leaders acknowledging a risk to sensitive data, what steps should be...