Okay, who’s forgotten about GDPR?
Do you remember the nerves and panic as the deadline for GDPR implementation crept closer? While some businesses were sorted, others were busy trying to get their heads around what the changes meant for their organisation in practical terms. What did they have to do? Which data could they store and use, and what did they have to delete? Well, for most organisations the 25th of May 2018 arrived without any major catastrophes. The earth didn’t shake, the world kept turning and things soon settled back into a routine.
Let’s assume you checked out your compliance eighteen months ago, prior to the deadline. Here’s the question: what have you done since about ensuring you’re still following the regulations? Do any new staff understand the necessity for data security? Are your procedures still up to scratch?
It’s human to relax a little when you believe something is on track, but data security is one of those areas that needs constant vigilance, not least because those who want to get their hands on our data aren’t sitting back now that GDPR is in place. They are looking for weaknesses, loopholes and organisations which have kept hold of customer data and failed to safeguard it.
Remember those scary statistics about the level of fines – the greater of €20m or 4% of annual turnover? Did you see the headlines this summer when BA was hit with a fine of £183m for a data breach? In the same week, the Marriott hotel chain was fined £99m for failing to protect customer data. If you think the property rental business is any different, think again.
The Deutsche Wohnen case
In Berlin, the data commissioner has just fined a German property business, Deutsche Wohnen, over €14m. The company was found to have stored tenants’ personal data including salary, tax, employment, social security details and bank statements. Because the data was no longer needed for its original legitimate purpose and the methods for disposing of the data deemed inadequate, the business was fined. It’s also interesting to note that there are additional fines ranging between €6,000 and €17,000 relating to 15 specific cases. Although the case is likely to be appealed, it illustrates how seriously data commissioners are taking their responsibilities and gives a clear indication that we all need to do the same.
Agencies naturally gather a lot of personal information. Indeed, it wouldn’t be possible to do the job without it, but the data held should be the minimum, anonymised wherever possible, protected, and retained only if there’s a legitimate reason for doing so. It’s likely that agencies had a big clear out eighteen months ago, but the processes of deleting data now need to be ongoing. GDPR wasn’t a one-hit-wonder. It’s here to stay and it’s showing its teeth. So, if by any chance you’ve forgotten all about it, wake up and remember that we owe a duty of care to our customers and that if we fail them, we live in an increasingly litigious age.