Ticketmaster and Travelodge data crisis
Ticketmaster and Travelodge – both household names and so, when news broke of their involvement in major data breaches, regional SMEs may have believed such incidents would never happen to them.
However, you should take heed as, this is just the start of the journey not the finish. Smaller organisations should not be complacent and should take action to prevent and mitigate the consequences of potential breaches.
Why is this the case?
Ticketmaster’s UK customers were warned they could be exposed to fraud or identity theft, after the major data breach. It has since emerged that it involved malware (software written with the intent of doing harm to data, devices or people) on a product hosted by an external third-party supplier. Like-wise Travelodge has said that personal details of customers could have been stolen after unauthorised access was gained to server data belonging to a third-party company.
Do you use a third-party supplier?
If you do, you need to ensure they are also GDPR compliant. If a breach occurs, it is not a defence to simply say that the data was stored/managed by a third-party. Thousands of SMEs will use third-party suppliers to process personal data on their behalf. Just a few examples include restaurants taking online bookings, companies using payroll providers, firms with external website developers, or those that use confidential waste disposal suppliers.
Please ensure you act now
While the GDPR D-day of May 25th has now come and gone, it is important that compliance is something that organisations have achieved or are actively working towards. Even smaller organisations may receive fines for data breaches depending on the nature and seriousness of the breach and should consider it a question of ‘when’ not ‘if’ they are hit by a breach.
Whilst the threat of fines may generally be lower for SMEs, as opposed to corporate giants, another possible consequence of data breaches is reputational damage and loss of customer trust.
There is no doubt that some organisations are still failing to recognise the need for compliance with the new data protection regime, and they should be aware of the consequences for failure to have the right processes, policies and procedures in place.