In the wake of the new General Data Protection Regulation (GDPR) in Europe it seems that businesses are a lot more aware of the drawbacks involved in experiencing a data breach, with consumer complaints to the Information Commissioners Office (ICO) more than doubling since it came into force. According to data from law firm EMW, between May and July 2017 there were 2,417 complaints recorded, but the same time frame in 2018 saw a 160% increase to a massive 6,281.
Under GDPR, depending on the extent of the breach and how efficiently and quickly they are dealt with, fines can be as high as €20 million (approximately £17.5 million), or up to 4% of annual turnover, whichever is larger. With higher penalties issued to those failing to report incidents to the ICO as soon as they are aware of a breach, it’s understandable that organisations are increasingly concerned about the numerous repercussions a data breach would have on their business. The number of data breach occurrences haven’t increased, but it is evident that stricter precautions are being taken to prevent large financial damages.
An ICO spokesperson said:
“It’s early days and we will collate, analyse and publish official statistics in due course. But generally, as anticipated, we have seen a rise in personal data breach reports from organisations. Complaints relating to data protection issues are also up as more people become aware of their individual rights”.
According to research conducted by Salesforce, 59% of customers around the world believe their personal information is vulnerable to a security breach. Added transparency and awareness around data breaches, including revelations from recent high-profile incidents e.g. Facebook, Equifax, Ticketmaster, British Airways and Newegg, have enabled consumers to have a clearer understanding of how their personal data is handled, or in some cases, mishandled. By raising complaints to the ICO, they are being extra cautious around the safety of this information.
It’s imperative that organisations gain customer confidence and are not only transparent about how consumer information is being used, but that they fully express their commitment to protecting it, continuously evaluating how they collect and handle the data within their corporate network.
Ian Woolley, chief revenue officer at data privacy company Ensighten, said:
“Governing bodies need to be tighter on the misuse of data and follow through with their word of placing financial sanctions on those who do not adhere to the regulation. Brands need to stop viewing GDPR as just a legal hurdle to jump. Consistent data governance is the only way to ensure that brands aren’t putting their customers or reputation at risk.”
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. By adhering to these standards, organisations can highlight the steps they have taken to protect customer’s sensitive card payment details, also known as Sensitive Authentication Data (SAD). For example, PCI-DSS recommends that organisations provide a telephone payment service that allows customers to enter their card details on a telephone keypad, rather than speaking them out loud to an agent who may fraudulently write them down.
The majority of undisclosed threats occur from internal staff or call agents’ temptation to steal customer details; almost impossible to accurately measure when compared to malicious external attacks. By trusting a third-party PCI compliant payment solutions provider, such as Key IVR, organisations can have the confidence to take Card Not Present (CNP) payments with minimal risk of data theft. With their customers card details out of scope from the entire business environment, hackers or rogue agents’ ability to access any sensitive customer information is reduced.
PCI-DSS covers many other aspects and to be fully compliant can sometimes be a difficult task to achieve. By working with a third-party organisation that specialise in PCI-DSS compliant solutions, it takes a lot of the pressure off businesses that aren’t always familiar with every aspect it involves. For more information regarding how Key IVR could provide your business with a secure payment solution contact email@example.com or call +44 (0) 1302 513 000