On the 25th May the General Data Protection Regulation (GDPR) will have been in force for a year and whilst the topic was in the forefront of people's minds this time last year, it is tempting with the passage of time to allow other issues to take priority.
However, data protection is an evolving beast and businesses cannot become complacent. Policies need to be continually reviewed to ensure that they are still compliant. As a stark reminder of this, pregnancy club, Bounty UK have been fined £400,000 for illegally sharing the personal information of more than 14 million people. The fine was issued by the Information Commissioners Office (ICO) in what it said was an 'unprecedented' case. The ICO found that Bounty compiled personal data but did not tell people that it was shared with 39 other organisations. The data shared was of 'potentially vulnerable' people including new mothers and very young children and the 'careless' data sharing was likely to have caused distress to many people because they did not know it was being shared so widely.
Bounty have acknowledged the ICO's findings and have now made changes to how they handle member data. Amongst other measures, Bounty have planned to appoint an independent data expert to carry out an annual survey to ensure it did not breach data protection laws.
It may not be feasible for all businesses to use an outside agency but it certainly makes sound business sense to regularly review your procedures. The ICO have repeatedly stated that they would prefer to engage with companies rather than issue punishments straight away but as Bounty have found to their cost, failure to comply can be a long way from paradise.