Yep....it's happened...the first ICO fines are trickling through and even being an upright charity like the Bible Society does not provide absolution.
At a recent conference held at Goldman Sachs, the warnings were stark. Everyone, especially the board has personal responsibility for making sure that the right procedures are in place to protect people's data.
It is no longer acceptable to say 'I just don't understand all that IT stuff and leave it to my tech people'. The CEO and the board is personally responsible for ensuring that everyone understands exactly what procedures are in place, how they work and how they are monitored.
That means that there has to be a proper communications plan in place and everyone from the most junior to the most senior staff is aware of what their responsibilities are as well as the sensitivity of the data they are looking after.
Reputations will be won and lost on the back of this new legislation. Imagine a client or customer asking for you to send them all the data you hold on them? Would it meet private let alone public scrutiny? Briefing notes, appraisal forms, analyst notes etc...... all of these can now technically be accessed by individuals.
In many cases there is of course a legitimate need. to hold such data, but if a request comes in data still have to be provided.
And what if there is a breach? Is there a plan in place to deal with the deluge of publicity from both traditional, social and digital channels?
I wonder how many employee briefings there have been and how many staff know where to turn if they are unsure? Were the communications department even involved in putting together a process and a plan?
Or was it just one of those 'IT things'............?
The Information Commissioner’s Office (ICO) has fined the British and Foreign Bible Society £100,000 after cyber hackers gained access to more than 400,000 supporters’ personal data. The Commissioner found that, although the Society was the victim of a criminal act, it failed to take appropriate technical and organisational steps to protect its supporters’ personal data.