It has been reported that pregnancy club Bounty UK has been given a £400,000 fine by the ICO for illegally sharing the personal information of more than 14 million people.
Experts Commets:
Anjola Adeniyi, Technical Leader for EMEA at Securonix:
“With this kind of illegal data sharing, mothers and babies may be unable to tell if they have suffered a data breach with one of Bounty’s third parties. The fine may have been greater if it wasn’t that the breach happened before GDPR came into effect. Hopefully the wider market can learn from Bounty’s experience, and avoid such misconducts.”
.
.
Ian Smith, CEO and Founder at Gospel Technology:
Many mothers over the last 20 years have been pleasantly surprised to receive free samples and vouchers from retailers without really knowing how the retailers knew they had just given birth. Accelerate forward 20 years, where mothers now ‘opt-in’ to marketing programs fuelled by a regulated data-driven economy. Businesses that hold personal data have a responsibility to ensure that it is managed appropriately and according to the ‘opt-in’ criteria originally agreed by the consumer. The public’s hypersensitivity around how their personal data is used and who has accessed it, requires businesses that operate in the same category as Bounty to commit to a comprehensive and systematic review of data processes and identify the areas in need of improvement.
The acknowledgement by Bounty that they “did not take a broad enough view of our responsibilities and as a result our data-sharing processes, specifically with regards to transparency, were not robust enough.”, is an admirable response, but it has cost them a fine of £400,000 and 34.3 million PII records that were illegally shared and are still retained for re-use with the recipient market agencies. Regulations such as the GDPR go a long way towards ensuring that individuals get the control they desire, but businesses need to do their part by putting the right technology and processes in place to be transparent and reassure customers.
By creating a secure decentralised, transparent environment, businesses can provide assurance that the data generated from customer interactions is not being used against their ‘opt-in’ consent. This environment provides an end-to-end, tamper-proof, trusted audit trail of data, that protects consumers and businesses and provide simple contextual access controls, managing who can access to their personal details. Not only will this ensure data trust and integrity, it will also go a long way towards winning the confidence of the consumer. .
Twitter’s Reaction
Parenting support club Bounty could face compensation claims following data breach fine – Sean Humber from Leigh Day comments https://t.co/gpbdI5AfFP pic.twitter.com/IE5x56zjnf
— Leigh Day (@LeighDay_Law) April 13, 2019
Hopefully this fine means the end of Bounty data hunters on NHS maternity wards. I had to explain to 3 diff reps that they couldn't get a lovely photo because my baby was in intensive care. But I did get a sudocrem sample https://t.co/9elgGGstkp
— Laura J Horsfall, PhD (@drljhorsfall) April 12, 2019
https://twitter.com/suzanneguilloud/status/1116683236271362048
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.