5 Security Lessons from Non-Compliance with UK Data Protection Law

I speak with many organizations who have customers throughout the world, often via their ecommerce websites, and an alarmingly large number of these organizations are completely unaware of the data protection laws they must follow in the countries where their customers are from. When the privacy commissioners from these other countries discover the organizations not following the laws, the organizations can have substantial financial impact on their businesses from not only fines, but typically more significantly from bad press, and orders to discontinue business within the country until they have their business activities, policies and processes in compliance with the requirements.

I’ve also spoken with a large number of marketing and sales folks who are completely oblivious to what they can and cannot do with customer personally identifiable information (PII). It is not completely their fault; if they have informaton security, privacy and legal counsel within their organization, these folks should be communicating to the marketing and sales folks about these privacy, security and compliance issues; telling them the things that they should not be doing along with the safeguards they must take for the customer PII.
Marketing and sales is a specific group with a very high need for targeted training and ongoing awareness.
The United Kingdom (U.K.) Information Commissioner’s Office (ICO) announced on June 21 that it had settled some Data Protection Act noncompliance charges against two companies; Orange Personal Communication Services Ltd. based in the U.K., and Littlewoods Shop Direct Home Shopping Ltd. also based in the U.K.
In both of these cases there probably was minimal immediate business negative impact realized, other than the bad press and now having to implement security procedures that should have been in place anyway. However, this should be another forewarning that the public, as well as government oversight agencies, are becoming more aware of companies that do not have appropriate safeguards in place for PII, and I predict, based upon the histories of enforcement for other data protection laws, that as time goes on the penalties will become more severe.
In the noncompliance case of Orange Personal Communication Services Ltd the company was found to be in violation of the Act because:

“members of staff who had recently commenced working for the company were allowed to share user names and passwords to access company computer systems holding the personal data of Orange customers.”

So, the company had violations for lack of appropriate access controls, lack of accountability for actions done with the user IDs, not limiting access to the minimum required to perform business responsibilities, and allowing user IDs and passwords to be shared, to name a few. These are controls all businesses should have in place.
In the noncompliance case of Littlewoods Shop Direct Home Shopping Ltd the company was found to be in violation of the Act because the ICO:

“has received complaints from [name removed] regarding the processing of xx personal data by the data controller [Littlewoods Shop Direct Home Shopping], and in particular that despite having given notice in writing to the data controller to cease processing her personal data for the purpose of direct marketing, xx continues to receive such marketing material.”

By the ICO’s order, Littlewoods must remove the complaintant’s name and other PII from all their systems and discontinue any further marketing to the former customer. Littlewoods must also implement procedures to be in full compliance with the Data Protection Act.
Having procedures and methods in place to remove customer PII from business systems upon a customer’s request to be removed from receiving any more marketing communications…OPT-OUT procedures and processes…is something few businesses have properly addressed, and too many have not even considered.
A few lessons all organizations can learn from these cases:
1. Organizations must know, understand and comply with the data protection laws for all the countries where they have customers and employees.
2. Access to PII must be limited to only that necessary to perform business job responsibilities.
3. Specific groups, such as marketing and sales, must receive targeted training and ongoing awareness communications.
4. Policies, procedures and technolgies must be in place to allow customers to effectively opt-out of receiving further communications from your organization.
5. Safeguard requirements and policies, such as prohibiting user ID and password sharing, must be actively and consistently enforced, along with sanctions for non-compliance.

Tags: , , , , , , , , , , ,

Leave a Reply