Businesses need to document their efforts to comply with the General Data Protection Regulation (GDPR) due to come into force next May or risk unprecedented fines, a leading lawyer has warned.
Claire Mulligan, partner at law firm Kennedys, warned: “Fines can be up to £20 million or 4% of global income.
“People who have had data stolen can bring claims for damages on top, regardless of whether they suffer a financial loss. You could be looking at claims of £2,500 to £12,000 for the anxiety caused by a loss of personal data.”
Mulligan warned the penalties for loss of financial or health data would be “much higher” still and said: “I would get busy now.”
Speaking at Abta’s Travel Convention in the Azores, she said: “A person has to actively affirm you can have their data. You can’t just keep their data because you already have it.
“Ask yourself why you have the data. Consider how you use the data. Think about your website – you need clear privacy notices. Think where you hold the data – is it in the cloud?
She added: “This is a board issue. You can’t park it on the IT director, and you need to document the process.
“Do you issue warnings to staff about phishing emails? Be sure you document that.
“If you don’t have documented proof, you will find it very difficult to prove you have consent [to hold data]. It’s going to cause you a huge amount of problems.
“You have to show you’re keeping data only for as long as is appropriate. If you’re developing artificial intelligence [using personal data] you need consent to use the data.
“If you work with IT experts, get them in to kick the tyres. You only have till May 2018.”
Mulligan warned: “Two thirds of cyberattacks affect SMEs, and one third is caused inadvertently by employees.”
Vito Sepe, senior account director at insurer Arnold Fisher, agreed saying: “Too many businesses perceive this as something that will never happen to them, but SMEs are increasingly targeted by cyber criminals.”
David Trunkfield, partner at business consultancy PwC, suggested the industry should act collectively to address some of the issues around data protection.
He said: “The travel industry has not yet got together to discuss the risks it faces and how it responds. You will be stronger collectively if you do.”
Abta chief executive Mark Tanzer recalled a data breach at the association in March this year, saying he had drawn “a couple of lessons”.
“One, have insurance because it can be expensive. Two, the best way not to lose data is not to have it. Be rigorous in clearing out data that is not relevant or that you haven’t a licence to use.”
Tanzer added: “I hadn’t realised how responsible I was for third-party suppliers. Even understanding the data we had was more challenging than I thought. People’s records were often scattered among different systems.”