Everyone in email marketing should be finalising their procedures to ensure conformity with the requirements of the General Data Protection Regulations (GDPR). The fact that there is much that is common to the regulations it replaces is something to be wary of. The wording is similar, as one would expect given that it comes from the same source, but there are fundamental and significant differences.
Take a personal data breach. Our email marketing lists are sacrosanct and we all feel we have secured them against unauthorised access, at least as much as we can. However, when we are told there are security flaws in processors of virtually all computers, there can never be certainty.
The GDPR tells us what to do when there is a personal data breach but that’s not an awful lot of use if we don’t know what one is. It is described as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. In other words, it is a security incident involving personal data which affects its confidentiality, integrity or availability, such as:
1/ An unauthorised third party gains access
This would include the much publicised hacking scenario with remote devices. Ransomware, if, for instance, your email marketing lists data is included in the data made unavailable, comes within this heading. The less dramatic but probably more frequent situation where an unauthorised member of staff having access is also included.
2/ Deliberate or accidental action (or inaction) by a controller or processor
We are all dependent on the abilities of our staff. The risks can be lowered to a great extent by education – ensuring they are up to date on the GDPR requirements – and oversight. If their procedures are not checked regularly, how are you to decide whether they need more instruction?
3/ Sending personal data to an incorrect recipient
It could be a simple mistake, a deliberate act or lack of knowledge. Regardless of which it is, it is a data breach and requires a response.
4/ Computing devices containing personal data being lost or stolen
We secure our data behind firewalls and virus checkers but do you ensure your premises are equally secure? If you transport personal data on USB or other drive, do you ensure it is always encrypted? Whilst it won’t stop a data breach if stolen or misplace, it will probably reduce your culpability significantly.
5/ Alteration of personal data without permission
This is normally the fault of your established procedures. Ensure each data controller and processor knows precisely what they can and cannot do. This includes seeking authority when required. There must be checks in place.
6/ Loss of availability of personal data
If there is a hardware failure or personal data is inadvertently wiped from your records then this may be a data breach. It may also be a disaster for your company so ensure you have back-ups of all personal data which is kept up to date.
We will cover how you should respond to data breaches in a future article.