Nothings Changed or so you think By: Jezz Gobran | November 5, 2018 | Tags: information risk,Morrisons data breach There’s been over 5 months since the dreaded GDPR day and to many businesses because the world hasn’t come to an end nothing has changed, it’s business as usual despite doing absolutely nothing (or very little) in readiness. If your business is important to you and I’m guessing it is, you’ll read on and find out: 1) About a game changing legal decision that could affect your business. 2) What’s going on that you don’t know about with the regulator and what to expect from them in 2019. 3) The cost to your business should it go wrong There is the alternative Don’t read on is always an option, but if you’re not going to, let’s hope it’s because you’ve realised you haven’t done enough, the downside of which are too great and you’re going to get in touch. An information risk management and data privacy specialist we are well placed to understand the risks and are supporting many successful business around the Midlands in reducing their risk . What’s the significant legal decision? In 2014 Morrisons supermarkets had a data breach, it was an inside job by an employee with malicious intent. He had unauthorised access to payroll data which was leaked all across the internet. The steps taken by Morrisons to take the data down quickly, provided protection so that workers would not be financially disadvantaged are what one would expect, however, employee’s took a class action suit against their employer and won. Read carefully as this is important for your business. This month and despite the individual being criminally convicted, Morrisons lost their high court appeal and the court found them vicariously liable for their employees actions, which ultimately means compensation for the affected individuals. Personally I think more could have been done by Morrisons, but in my opinion, it’s not the right precedent to set. What does that mean to you? If you’re honest with yourself and thought through your information security measures, who internally has access to information they don’t really need to, how would you respond if it happened to your business? Then there’s the data protection element – could you show that you had adequately assessed the risks and taken decisions accordingly, is this documented? I could go on with an endless list of considerations but we’ll leave those for another day. The point is, you haven’t done enough and if it happened to you, chances are your pockets aren’t as deep so the damage would be far greater. From a reputational standpoint it’s having your name dragged through the mud, loss of confidence from clients, loss of business contracts as a result. You know the value of your business should you wish to sell it and the income it generates annually for you personally. Is that something you take for granted or want to secure? If data privacy is that important why haven’t we heard much from the ICO? Looking at the things that have happened over the last 6-7 months, the changes that have gone on internally and the issues that are in the media it’s not surprising that we haven’t seen all that much publicly. What has happened is that in the last 12 months the ICO have had to recruit and train a significant number of people. This has come just at the time when their investigations are through the roof with Facebook and Cambridge Analytica (amongst many other’s) and there has been a 160% increase in self reporting, over 60% of those have not been necessary, a clear sign that organisations in general aren’t clear on what they are doing. So what Well, when you look at it on the surface I’m sure we all think we’ve done enough or it’s not going to happen us. Is it really worth taking the risk? Your reputation, the sweat, tears and toil you’ve put in to building your successful business, all at risk when it doesn’t need to be. Reality, you’re an expert in your chosen field but in most instances not in data privacy or information security so why would you know the delicate detail of data protection law and how to get it right and to your advantage? Choices, Choices Do nothing. If you’re serious about your business, probably not the right option. Get in touch for at least a no obligation conversation. Absolutely the right option. What’s the worst that could happen? …possibly become better informed? PS Taking a risk should be based on a calculated decision, knowing the facts, knowledge and at a level you’re comfortable with. Not having the full facts is not a risk, it’s negligence. Remember, your business, your income, is it worth risking.