Once Upon a Data Breach
Once upon a time in a land not so far away, a very normal princess snoozed her alarm for the forty hundredth time that morning and scrolled aimlessly through her phone in her palatial bed; summoning the energy to face the daily grind of princessy business.
She accepted a couple of friend requests on FaceParchment from courtiers she vaguely remembered doing tequila shots with the night before and having seen an offer for an instant hangover relief potion (with same hour dragon delivery service) signed up to Powerful Potions Ltd’s newsletter and ordered a batch.
At the other side of the kingdom, William Warlock, an overworked employee of Powerful Potions Ltd received the princess’ order and set about instructing the minions in the dragon despatch warehouse. Impatiently he closed the pop up box on his laptop reminding him that his Brimstone Firewall had expired. He’d get around to it eventually, it seemed these Pumpkin products constantly needed updating.
Meanwhile, the princess had made it to her desk at the palace and was busy responding to emails from common folk. She’d already received 5 emails with special offers from Powerful Potions and though she’d clicked the unsubscribe button, having no interest in phoenix face cream or owl ointment, they were still cluttering up her inbox.
Deep underground in a cavern that was very difficult to trace, squatted Trevor Troll on his laptop. Trevor was a vindictive creature, a very accomplished cyber criminal and today had chosen to target Powerful Potions Ltd. It was easy to hack into their systems and their databases were rife with contact details and personal data about thousands of individuals throughout the kingdom. They didn’t store payment card details but that didn't matter. Once you had an individual’s order history and contact details it was simple enough to make profit from identity theft, mislead individuals to pay invoices to a new bank account or even just hold the data up for ransom.
The princess’ details were the most recently added to the database. Trevor had her full name, address, email address, phone number and order history. A quick check on social media also revealed the princess and he had mutual friends. Excellent. Courtesy of the princess’ privacy settings meant he soon also learnt the names of family members, where she worked and even her pet corgi’s name. All useful should any pesky security questions need answering.
By dusk, the princess was distraught. After a phone call with her bank it transpired that her coffers had been emptied throughout the day in a number of suspect transactions. Furious, she sued Powerful Potions Ltd for not protecting her personal information. They hadn’t even contacted her to inform her there had been a data breach. Mind you this was hardly surprising as they hadn’t even removed her from their mailing list when requested.
Unfortunately, the princess was not alone, nor was Powerful Potions Ltd in their lax attitude to data protection. Recognising this, goblin elders from multiple kingdoms decided data protection laws needed tightening.
Thus the ‘Goblin Data Protection Regulation’ (GDPR) was born.
The GDPR set out the following rules that all businesses across all kingdoms must comply with after 25 May 2018:
1. Consent and Transparency:
2. Individuals’ Rights:
The GDPR sets out different rights that individuals (including princesses) have regarding the use and storage of their personal data. When an individual exercises any of these rights, businesses must comply within one month (unless it is a complex request) and perform the service free of charge. For a summary of these rights, see our Layman’s Guide to GDPR.
3. Data Protection Officer
Businesses will need to appoint a member of staff to ensure the GDPR is consistently adhered to. (Dragons are recommended but other staff members may also be adequate).
Data Protection Impact Assessments (DPIA) ought to be carried out so that businesses might assess the risks associated with processing data in new ways, such as using other companies or new technologies.
5. Transfer of Data
Any citizens of the Elves Union (EU) should not have their data transferred outside of the EU unless the transfer is to a state with appropriate safeguards. Businesses should therefore determine their data processors’ GDPR compliance and where they process the data provided to them.
6. Breach Notification
Any breach of the GDPR must be reported to the relevant authority within 72 hours of the company acquiring the knowledge, where the breach is likely to result in a high risk to the rights and freedoms of data subjects. Businesses should also notify the data subjects affected. In the UK, the relevant authority is the Information Commissioner’s Office (ICO) and we would urge you to visit their website for further guidance.
Any business that does not comply with the new goblin standards risks a hefty fine of up to 20 million euros or 4% or their annual worldwide turnover. In magical kingdoms, CEOs will also be turned into frogs.
It is therefore of the utmost importance that businesses start acting now to ensure that they are taking adequate measures to protect the data they hold, train staff (including all data protection dragons) and ensure the relevant procedures and policies are in place come the 25th May.
If you’d like to learn more about the GDPR compliance and what you need to do to get your castle in order, please speak to a member of the Hybrid team and we’ll be more than happy to discuss our Data Protection Health Check service to help your business continue to trade happily ever after.