It has been widely reported this week that Amazon has suffered a major data breach which resulted in customer data including names and email addresses being disclosed on its website, right before the critical trading period around Black Friday. It is thought that a technical issue was the cause of this breach. We have been discussing the General Data Protection Regulation (GDPR) 2016 implications on Black Friday and Cyber Monday for a few weeks now, but if you’re still not absolutely certain that your data protection procedures are watertight then contact us for a free 15 minutes consultation or take advantage of our own Black Friday discount of 30% off of our GDPR Rescue Package.
A data breach may include the following examples:
• Accidental or unlawful destruction of data
• Data loss
• Data alteration
• Unauthorised disclosure or access to personal data transmitted, stored or otherwise processed
All businesses that process personal data which may include anything from basic customer contact information to sensitive special categories of data, such as medical records, should implement appropriate technical and organisational measures, taking into account:
• The costs of implementation
• The nature, scope, context, and purposes of the processing
• The risk of varying likelihood and severity for the rights and freedoms of individuals
With the GDPR being in force since May 2018 and the recent Data Protection Act 2018, Amazon as a data controller of the customers personal data that it holds has a duty to notify the relevant data regulation authorities (the Information Commissioner’s Office in the UK) within 72 hours and the ICO have already said that they are ‘monitoring the situation’.
The notification to the ICO should at least contain the following information:
• Describe the nature of the personal data breach including the categories and approximate number of data subjects and data records concerned;
• Communicate the name and contact details of the Data Protection Officer of other point of contact;
• Describe the likely consequences of the personal data breach; and
• Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including any measures to mitigate its possible adverse effects.
On many occasions a data controller also has to let the affected individuals know about the data breach which we understand has already been done by Amazon.
This is clearly not the type of publicity that any business would like to receive right before Black Friday which is now a multi-billion pound sales day. The reported data breach by Amazon highlights the importance of having the right security measures in place to prevent data breach from occurring.
Security measures examples include:
• user names
• passwords (with a minimum set strength)
• back up procedures
• having agreements in place with reputable sub-processors
• access control measures
• physical measures, including CCTV, locks and clean desks policy
In addition to actually having the right security measures in place it is very important to have the right internal and external GDPR documentation in place (including Data Protection and IT Security Policies, amongst others) bearing in mind the potential fines for breach of GDPR up to £17 million or 4% of the company’s worldwide annual turnover, whichever is the greater, and potential loss of reputation, customer trust and, ultimately, sales.
Get fully GDPR compliant now!
Remember, you can save 30% on the LawBite GDPR Rescue Package! Normally £495+VAT now reduced to only £346.50+VAT until 26 November 11:59 pm. Discount code GDPRCYBER18.
The author of this article is expert LawBrief Alla Fairbrother. For further business legal advice, please enter an enquiry or call us today on 020 7148 1066 to speak to a member of our friendly Client Care Team.