GDPR lessons we are yet to learn

GDPR has been in force for 8 months now, and fines have been rolling in across Europe for big businesses as a result of data breaches. This is certainly a period of adjustment but what can we learn from the mistakes of others to prepare our own businesses for the future?

Knowing your weaknesses and address them

You should be identifying the weak links in your business and addressing them, or at least have a plan to strengthen these areas in time. A breach shouldn’t be the reason you take action.

A study by Ensighten found that 15% of businesses surveyed are aware of a risk to their website or data management systems, while 67% haven’t even evaluated, considered or implemented data security for their website. The same study also found that only 13% review the security of their customer data just once every 6 months.

These statistics highlight how businesses have not fully considered the threats to the data they hold, nor the fines they could be on the receiving end of, should a breach occur. The same survey did find that insufficient budgets (38%) were the main factor behind not protecting against any known risks.

Gain positive consent for marketing activity

GDPR legislation is very strict about consent, stating, “consent must be freely given, specific, informed and unambiguous.” Any consent must be obtained on a voluntary basis, without any pressure or influence as this could render the consent invalid.

Ensure you gain proper consent for the activity you are planning, whether it’s emails, phone calls or tracking on your website. Having accurate GDPR compliant consent tick boxes on your website is essential.

There have been many companies fined over the last few years for not having the proper consent for their activity and with GDPR now in full force, these fines are only going to become more common.

Google is being fined £44 million, the largest GDPR penalty ever levied, and the biggest example of consent not being given, or being clear on how data is used.

Google is the largest company facing investigation over complaints made on the first day that GDPR was in effect. The National Commission on Informatics and Liberty (CNIL) claim that Google did not have a valid legal basis to process user data for the purpose of ad personalisation.

Regularly check and improve your business cybersecurity

Carry out regular checks on your website, internal processes and internal communications to ensure there is appropriate security in place. This could involve actions such as improving email encryption, new firewalls, updating your website code or installing better malware protection.

Most of the stories you’ll be reading in the news that involve GDPR will be about data leaks caused by website hacks or breaches. Company websites potentially store millions of personal details, which in the modern age is highly valuable in the wrong hands.

In August 2018, British Airways fell victim to a hack, which leaked 380,000 customer transactions, including personal information and payment data. British Airways followed the correct process of informing the authorities and customers and the Cyber Security Centre and National Crime Agency are investigating how it happened.

The hack occurred in a 1 month period across both their website and booking app, which highlights how even the biggest of companies are still vulnerable.

British Airways aren’t alone. Facebook has also had hacks, unintentionally allowing access tokens to be stolen, meaning users profiles could’ve been accessed. This was caused by a vulnerability in the code on Facebook — the last thing the social network needed after the Cambridge Analytica breach.

Uber has also been fined in the last year for failing to protect customer data from a cyber attack. Driver and customer details were captured by hackers, but paid off by Uber before they informed their customers and drivers.

Be honest, clear and concise in your policies

Users want choice, transparency and clarity. Read your policies again to ensure they make sense to you and a person not associated with your business. A second pair of eyes can spot holes you didn’t see.

Your Privacy Policy, Terms of Use and Cookie Policy are your best line of defence, telling website users exactly how their data and activity on your website is used, and how they opt in or out of your database. Sending all information held for Data Access Requests is crucial too and part of the regulations.

Tax Returned Limited was fined £200,000 by the Information Commissioner’s Office for sending millions of unsolicited marketing text messages. The data they were collecting through third-party websites was not giving clear consent as to what data would be used for.

The wording of these policies is crucial and if it’s incorrect, unclear or misleading, you could be on the receiving end of serious fines.

This legislation is still new and it will take time to implement the best strategy, technology and security in your business. But, you need to be making strides to protect data within your business — learn from the mistakes of others and avoid costly mistakes.


Grant Strelling is CCO at British Assessment Bureau, a leading ISO Certification body who offer management systems for the Environment, Quality, Information Security, and Health & Safety. Grant is an expert in Compliance, ISO Certification and Technology and is passionate about delivering services that add real value to customers.

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.