Learning from the British Airways and Marriott International fines: What organisational measures should companies be implementing?
Published on 29th Aug 2019
This article was first published on ITPro:
Learning from the British Airways and Marriott International fines: Part 2
The first part of this article detailed the baseline technical measures that companies should be taking in order to remain GDPR compliant. Alongside these technical measures, it is equally important to ensure that robust organisational measures are in place. This is especially important as many of the largest fines issued under the Data Protection Act 1998 (the precursor to the GDPR and the Data Protection Act 2018) have arguably been levied as a result of organisational failings.
In January 2017, for example, Royal Sun Alliance (RSA) was fined £150,000 after a portable network attached storage device was stolen from a physical data server room. RSA was criticised by the ICO for its failures around protecting that device, which contained huge volumes of personal data. Not only did it fail to encrypt the device, but it was not physically secured, there was no CCTV in the data server room and an inappropriate number of staff and contractors had unaccompanied access.
In August 2017, TalkTalk was fined £100,000. It provided Wipro Limited, a multinational IT company, with access to a web-based platform containing customer personal data. In 2014, three of Wipro's employees had misused their access to the portal. The ICO criticised TalkTalk for failing to implement controls to limit Wipro's access to customer data, the fields of data which Wipro could export and the ability of Wipro to access the portal from any internet enabled device.
What organisational measures should companies be implementing?
Our review of the ICO's previous decisions has identified the following organisational measures as key to ensuring a baseline level of compliance:
Data Register / Mapping
Under Article 30 of the GDPR, most companies are required to maintain records of their data processing activities. They should know which information / data they hold, where this is held, how it is held and what measures are taken to keep it secure. This involves conducting an initial data mapping exercise and maintaining a record of processing activities which is updated at appropriate intervals. That exercise should place emphasis on identifying particularly valuable, sensitive or confidential information. Furthermore, as part of that exercise, companies should consider whether they can minimise the personal data that they hold.
Control over suppliers
Companies must have in place contractual arrangements with those of their suppliers that process personal data. Suppliers may process personal data on a company's behalf as its data processor (in which case, the requirements of Article 28 of the GDPR will apply) and/or as independent or joint controllers (at least in some respects). Appropriate contractual arrangements with suppliers are not sufficient by themselves; companies must also conduct due diligence on their suppliers prior to entering into such arrangements, and ensure that supplier's processing activities are monitored and audited (as appropriate) during the term of such arrangements.
Policies and procedures
Companies should have in place clear policies and procedures for information security, which record the technical and organisational measures in place.
In addition, and as part of those policies and procedures, companies should be able to identify easily who within their organisation is responsible for information security. At the same time, every team and employee should also be aware that they each have a personal responsibility for data protection (rather than 'passing the buck').
Incident Response Plan
For most companies, it will be appropriate to have in place an Incident Response Plan which sets out the steps to be taken in the event of a suspected breach. This should be a useful document, which provides practical advice (such as the phone numbers / email addresses of those individuals to whom an incident should be escalated).
Having said this, strategies and plans will only get you so far. In the event of a crisis situation, incident response plans are quickly discarded and instinctive decision-making kicks in. More often than not these days the question is when, not if, the business will face a crisis, so practising those decisions in a hypothetical environment will ensure the company has the best chance of handling a real crisis (and this will help demonstrate appropriate training too).
All staff and employees should be provided with mandatory training at appropriate intervals (for example, at the commencement of their employment and thereafter at yearly intervals). Records of the same should be kept.
Physical and environmental security
Companies should also have policies and procedures for ensuring the physical integrity of all information and information processing facilities. The measures which need to be taken may include electronic access cards, extra measures for locations housing critical or sensitive information, secure storage and clear desk / screen policies.
Compliance in the context of M&A
Particular issues arise in the context of M&A transactions, whether as part of a share sale or an asset sale. During an acquisition process, it will be important to carry out appropriate due diligence for the purpose of identifying any relevant issues or gaps in GDPR compliance.
The importance of appropriate due diligence was emphasised in the ICO's announcement that it intends to fine Marriott International. Elizabeth Denham, the Information Commissioner, stated that organisations must ensure that they carry out:
proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected".
Thus, in the M&A context, appropriate due diligence will be important for several reasons. Prior to purchase, it helps the acquiring company determine the extent and nature of any indemnities that might need to be obtained (or whether a reduction in purchase price should be negotiated), as well as providing the purchaser with a sense of the scale of cost and complexity that might be associated with integrating the acquired IT infrastructure (to the extent that this is intended).
Post-purchase, and in the event that any issues come to light, records showing that appropriate due diligence was carried out may assist the acquiring company to demonstrate that it took appropriate technical and organisational measures at the outset of the acquisition.
It will be interesting to see the role that might be played by warranty and indemnity insurance in covering off GDPR risks, especially given that, at present, it is unclear whether GDPR fines are insurable under cyber security insurance.
Accountability for compliance
Under Article 24 of the GDPR, data controllers must be able to demonstrate their compliance. Practically speaking, this requirement mandates that companies must have ready and at-hand a clear narrative showing how they have complied with the GDPR. In most circumstances, this is best achieved by reference to policies and procedures, which must be clear and up-to-date. Companies should consider some up-front investment in ensuring all of their policies and procedures are GDPR-compliant.
Dealing with the ICO post-breach
Following on from a breach, the ICO will want to understand the technical and organisational measures that were in place. When responding to the probing questions which the ICO will inevitably ask, companies will need to be able to provide answers quickly and in plain English.
The ICO is becoming increasingly technologically savvy and may ask very specific questions. Whilst there is sometimes a temptation to provide discrete answers, it is generally better to ensure that answers even to specific questions are given their proper context. In particular, it will be important to demonstrate the way in which any omissions may have been mitigated by the suite of other measures which may have been in place.
In the absence of detailed guidance or case law from the Courts, there remains significant uncertainty for companies as to the steps which they need to take in order to ensure full compliance with the GDPR. Whilst this article has set out certain baseline measures which organisations should consider taking in order to be compliant, it is anticipated that further guidance will inevitably follow. Companies should keep a close eye on information published by the ICO, any of the other European data protection authorities and/or the European Data Protection Board, as well as any enforcement notices or decisions released.