Last year, British Airways suffered a data leak that allegedly affected more than 250,000 customers and involved highly sensitive data such as credit card numbers and other payment information.
This data leak is now costing the airline dearly, as the British data protection authority ICO wants almost 205 million euros in fines for it. Even if the decision is to be appealed and the matter will therefore be taken to court, this sum should make everyone sit up and take notice.
The GDPR, for example, has extensive requirements for security precautions in § 32, and everyone should be told that data protection is not just a software issue, but above all a question of employee training, data handling and company organization.
While the creation of 0815 data protection declarations can in many cases certainly be left to a data protection declaration generator without risking sleepless nights, the same does not apply to questions in the general handling of data protection. It is urgently recommended that employees be trained and that work processes be subjected to critical scrutiny. This is especially true for smaller IT companies, which often use things like Google Docs, Whatsapp, colloboration tools, CRM applications or support websites, and more, without much evil thought, and in the process – perhaps equally without much awareness of the problem – process users’ personal data.
Get urgent advice on this before the child has fallen down the well!