New year honours data breach highlights the importance of risk management tools

January 11, 2020

For anyone that lives or works in the UK, the New Year’s honours list is always something that gathers a lot of attention. An annual tradition that began in Queen Victoria’s reign, the New Year honours are part of the British Honours system and reward people for a wide variety of achievements.

These include sporting success, military bravery, public service and much more, and recognise celebrities as well as members of the general public. The most recent New Year honours announcement (27 December 2019) was even more high profile than usual, as the UK government posted online the private addresses of more than 1,000 people to be awarded New Year’s honours.

Not only is this a potential breach of the General Data Protection Regulation (GDPR) but it also highlights the importance of risk management tools, in helping to mitigate and manage risk such as a data breach.

Does the UK government require a GDPR compliance tool?

GDPR requires organisations to notify the supervisory authority in their country when a data breach has taken place, and they must do so within 72 hours from when they first discover the breach. The addresses that were published were meant to be redacted and were available online for several hours before the mistake was realised and the addresses removed.

Home addresses are not necessarily classified as sensitive information, but it does depend on who the address relates to. In this case, there were several celebrities such as the singer Elton John, but also officers within MI5, the UK security service, and former cabinet ministers too. The latter two groups would seem to fall within the sensitive information category and could indeed be a breach of GDPR.

The UK government did notify the Information Commissioner’s Office (ICO) within the required time and it is likely the incident was down to human error rather than anything more sinister. But that still counts as a breach of GDPR and the UK government could become one of the highest-profile organisations yet to fall foul of GDPR, equal in stature and profile to previous examples such as Google and British Airways which have been fined for non-GDPR compliance.

Human errors such as this make it even more important to have a GDPR compliance tool, or GRC software, to do most of the heavy lifting when it comes to ensuring data is GDPR compliant. GDPR is an on-going requirement and every single piece of data that comes into an organisation must adhere to it. Compliance software is essential in managing these requirements effectively and without it, an organisation is risking a substantial fine.

The need for risk management software

Integrated GRC tools, such as Oxial’ssGRC solution, are perhaps the most effective way for any organisation to manage and mitigate risk such as non-compliance with GDPR. sGRC is a unique software solution that comes with two ways in which it can be implemented – the sGRC Express and sGRC Suite.

It’s an integrated IT GRC tool, that includes compliance software to help ensure compliance with a wide variety of different regulations, but also a complete enterprise risk management function.

Human error resulting in a data breach like the UK government and the recent New Year honours list is a business risk and knowing how that risk could impact an organisation is essential information.

Understanding risk is key to effective mitigation

Risk is everywhere for organisations in 2020 and is virtually unavoidable. But risk needn’t be catastrophic for a business. Understanding the damage that various risks can cause and the best course of action to take when they do, means that organisations can feel protected and secure against whatever risks and threats are out there.

It’s been reported that UK government officials are offering security advice and guidance to the people in the New Year’s honours list who’s addressed were published. That’s to be welcomed but it’s also clear that by deploying enterprise risk management software or an IT GRC tool, that the UK government could have managed the whole affair much better than it did.

If your organisation wants to mitigate against risk more effectively in 2020 and beyond, then get in touch with one of risk management experts to learn how we might be able to help you.