While the fines themselves and the subsequent appeals are making the headlines, the real question to ask is how can other organisations avoid such situations and take a more programmatical approach to regulatory compliance? In this article we look at the causes of both breaches, and propose some practical solutions.
One of the main reasons cited for both breaches was the presence of unpatched legacy applications and shadow IT platforms that serve as a perfect ‘way in’ for cyber criminals to route traffic elsewhere in order to harvest the personal data.
Because of the nature of British Airways and Marriott and the levels of complexity of both organisations, their networks of content management systems, websites, mobile apps and online services can represent a weak point in cyber security and subsequently GDPR and other regulatory compliance requirements.
This is especially evident in the case of Marriott which acquired the Starwood Hotels Group in 2016, but the latter’s IT systems have since been found to have been compromised as early as 2014. Yet following the acquisition it still took until 2018 for the breaches to become known. In terms of GDPR compliance, the ICO felt that “Marriott had failed to undertake significant due diligence when it acquired Starwood and should have done more to make sure its IT systems were secure”.
For some observers, the solution to GDPR compliance is for a firm to delete its data. In response to exposing the personal information of over 650,000 of its customers, the UK pub chain Wetherspoon for example took the somewhat nuclear approach to data privacy by deleting most of its client data as its solution to avoiding further breaches.
While this solution worked for Wetherspoons, to some firms, data is more like oil in that it requires careful handling, but at the same time is a vital commodity and cannot simply be deleted either for compliance reasons or for understanding customers’ requirements and purchasing history. For those organisations, compliance can be architected through the transformation of processes, applications and systems without sacrificing market agility. Instead of treating data as a threat to their business, they can gain competitive advantage by building customer loyalty based on data privacy.
At the time of writing this article, it should be said that both British Airways and Marriott have stated intention to appeal to the ICO against their respective fines. However, irrespective of the outcome of those appeals there is simply no reversing the negative press and the adverse impacts on share prices and brand that have already occurred.
Just like a good house, data privacy needs to be built on strong foundations, not a patchwork of solutions to paper over the cracks.
The core to the principle of GDPR compliance-by-design is an adherence to a 6-step methodology with data privacy at the centre. This begins with the performing of initial assessments across an organisation to identify all stakeholders, and which data processing activities require a Data Protection Impact Assessment (DPIA). With this knowledge, data can be categorised and identified for its sensitivity in order to form orders of priority based on analysis.
Using the compliance-by-design approach, the process of carrying out DPIAs becomes automated and includes business process documentation, assessment of the regulatory risks, and most importantly, a description of the mitigation measures that have been adopted. The ability to provide this level of information in a timely fashion is also evident from the fact that British Airways’ response to its breach was praised, and in particular the fact that it alerted affected customers and the Information Commissioner’s Office (ICO) within the 72 hours mandated to do so by the GDPR regulations.
To avoid Wetherspoons-style treatment of your organisation’s data, the remediation plan is also a crucial aspect of the compliance-by-design approach. This enables the securing of processes and applications that control or handle personal data – without impacting business ability or agility. It also facilitates the ability to document and communicate with and between compliance stakeholders, and enables any person within a business to report compliance incidents in order that the DPO and other leaders can centrally review, assign severity and notate remediation activities.
To most organisations, data is oil – it’s extremely valuable, even essential to the business. With a comprehensive solution that enables organisations to quickly assess GDPR needs, generate the required documentation such as DPIAs, and centrally manage compliance changes for the entire business, there is no need to treat data like uranium.
You can read more about MEGA’s approach to GDPR compliance-by-design in our 6-step guide