A fundamental requirement of email marketing is to ensure our security systems are up to date. However, we react to threats so are always one step behind the hackers. What we view as cutting edge is a solution to yesterday’s problem.
You are not doubt reassured that your security systems, which deny access by way of passwords, are as current as you can make them. After all, it is a fact that whilst hackers tend to go for the most valuable targets, they prefer those that are most vulnerable.
It is not only your email marketing lists that are in danger, although that threat is serious enough. If you suffer a breach of personal data your company’s reputation will take a serious hit. However, on top of that, the Information Commissioner’s Office (ICO) might well make things worse by prosecuting you.
There are two main legal requirements with regards keeping up to date with threats in the digital age. Firstly, your systems must be of reasonable effectiveness given the likely threats. That means it is up to you to establish the threat level and respond to it. The General Data Protection Regulations allow costs to be a consideration but this is not a ‘get out of jail free’ card. The tricky business of balancing risk against cost is one that is left to you to work out.
The other aspect of this is that you must be able to show that you took all justifiable steps to secure your data. Everyone who handles your email marketing lists, for instance, must be trained and aware of the threats. Whilst the actions of a member of staff might have been accidental, they should have been aware of the dangers of whatever action caused the problem.
The question the ICO might ask is whether what you did was reasonable. Ensure that your decisions were made on information rather than guesses. The last thing you want when clearing up the mess left by a data breach is to have to worry about what you are going to say to the ICO.
The ICO has recently published an updated guide to assist you. See: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/