Does an organisation’s size matter when it comes to data breach fines?
In June, the UK ICO (Information Commissioner’s Office) began investigating a data breach at Dixons Carphone that affected almost 6 million payment cards and 1.2 million records containing non-financial information such as names, addresses and emails.
Dixons Carphone said about 5.9 million of the cards affected had chip-and-PIN protection, and the data accessed on these cards did not include the personal identification codes or other authentication details enabling cardholders to be identified or purchases to be made. About 105,000 cards issued outside the EU, without chip-and-PIN protection, were compromised.
The incident began in July 2017, but was only revealed by the retailer last month – just over a fortnight after the EU GDPR (General Data Protection Regulation) came into effect.
In 2015, Dixons Carphone was fined £400,000 by the ICO for a breach that exposed the personal details of more than 3 million customers and some employees. Under the GDPR, companies can be fined up to €20 million (about £17.6 million) or 4% of their annual global turnover – whichever is higher – for a data breach.
These are big numbers and potentially huge fines, but what if you are an SME? First, the GDPR applies to organisations of any size. Second, the reality is that smaller organisations are likely to suffer bigger financial pain than huge multinationals that might be able to take the hit. In June 2018, 145,942,680 records were leaked compared with 17,273,571 in May 2018 – a huge increase – and the majority of these affected SMEs.
It’s not too late to start your GDPR compliance journey
Data breaches can happen to any organisation at any time, so taking steps to secure your customer data should be an urgent priority. The size of your organisation is also irrelevant – the same rules apply from independents to multiples, franchises to global giants, and everything in between.
Data flow mapping – where does data fit into your GDPR compliance project?
A data flow map should be one of the first things your organisation produces as part of its GDPR compliance project. It helps give you a thorough understanding of what personal data your organisation processes and why, where it is held and how it is transferred.
You might be surprised at how extensively information travels through your organisation, and it all needs to be accounted for. If it isn’t, you are not only at risk of a data breach but are also non-compliant with Article 30 of the GDPR, which requires organisations to maintain detailed records of their data processing activities and make those records available to their supervisory authority (the ICO in the UK) upon request.
But data flow maps are about more than being organised and efficient. They also help organisations identify vulnerabilities in the way information is transferred and establish the necessary steps to become secure.
To see how Vigilant Software’s Data Flow Mapping Tool can simplify how you map personal data through your organisation, watch our teaser video
*** This is a Security Bloggers Network syndicated blog from Vigilant Software Blog authored by Ingrid Then-Guiraut. Read the original post at: https://www.vigilantsoftware.co.uk/blog/does-an-organisations-size-matter-when-it-comes-to-data-breach-fines/