Dumping your Old Business Cards

In July 2017, Pub chain J.D. Wetherspoon deleted its entire email mailing list, saying that it will send newsletters via email anymore. Although it’s not known how many emails Wetherspoon deleted, when the firm suffered a breach of their customer database in 2015, it was reported that they had 656,723.

The news came after several companies received fines for sending marketing messages to people who didn’t explicitly consent to receive emails. Airline Flybe has also been fined £70,000 by the Information Commissioner’s Office (ICO) after sending more than 3.3 million emails under the title “Are your details correct?”

On a risk basis, it’s just not worth holding copious amounts of customer data which is bringing insufficient value. Also, over time … there’s a strong likelihood that you’ve lost track of who had given consent for contacting them again through whatever means.

Flybe, Morrisons and Honda were all found to be in breach of the Privacy & Electronic Communication Regulations (PECR). Fines for breaking this law can go up to a maximum of £500,000 – however, under the EU General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018, companies can be fined up to 4 per cent of their global turnover.

On the basis that the less customer information YOU / WE / ME have, then the less risk associated with data. Simple enough. Driven by a conversation with a friend this week on the value (or not) that a very old pile of business cards has … if you don’t need them, get rid of them. Even simpler given a clean desk / clear desk policy at home and at work.

Cyber Essentials for GDPR

With enforcement of the EU General Data Protection Regulation (GDPR) pending, many businesses are mad busy preparing for a new era in privacy regulation. Late last year, I was advised to ‘hang on to all & any compliance frameworks you can’ (re GDPR) and ‘Cyber Essentials’ was one such certification scheme mentioned at that time.

The aim of being Cyber Essentials certified is to help organizations like yours and mine safeguard sensitive data by implementing reasonable security measures, much like GDPR specifications that aim to strengthen data protection.

The Cyber Essentials security standard spans across five security control areas:

  • Boundary firewalls and internet gateways: By making them an integral part of network security, it can help prevent attackers from reaching computers with vulnerable software installed.

  • Secure configuration: This helps minimize the potential exploitation of vulnerabilities. Steps include fundamental cyber hygiene such as avoiding the use of default passwords.

  • User access control: Organizations must ensure everyone has the appropriate access to data for the role that they are performing.

  • Malware protection: Organizations must make sure that virus and malware protection is installed and is up to date.

  • Patch management: Timely application of patches should be a priority for preventing breaches.

As one of the team from the SOUTH WALES CYBER SECURITY CLUSTER once told me … being Cyber Essentials certified builds customer confidence in you as a service provider, showing them that you security and in turn privacy, very seriously. After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016.

Enforcement date: 25 May 2018 … at which time those organizations in non-compliance may face heavy fines.