It is interesting to read today in Data Economy (full article here) that US staff and housing applicant screening company, First Advantage, has opened a new data centre facility in Amsterdam in order to help them comply with GDPR. “This enables our clients to have the confidence their data and that of their candidates is secure and protected to the highest standards and complies with GDPR,” said the company. It is good to see that First Advantage take data privacy and data security very seriously. Will this be the first of many overseas organisations choosing to locate data centres in the EU to help with GDPR compliance?
Since the implementation of GDPR there have been a number of declarations of data breaches. Some, like that of Dixons Carphone, actually occurred before GDPR came into force but are, nonetheless, indicative that many organisations, even large ones, do not have the security in place to protect our personal data.
Of course, Dixons Carphone are lucky … their data breach occurred well before the implementation of GDPR and they will avoid a hefty fine. Others may not be quite so fortunate – Ticketmaster publicly declared a data breach on the 27th June making their declaration well after the 25th May implementation. The information that could have been compromised includes names, addresses, and email addresses, as well as telephone numbers, payment details, and log-in details for Ticketmaster.com. There is some doubt as to when Ticketmaster might have known about this compromise since, although they only declared the breach on the 27th June, it appears they may have known about it much earlier. Allegedly the online bank Monzo warned Ticketmaster of a possible identity theft problem on April 12. Ticketmaster visited Monzo’s offices and then promised to “investigate internally.” They subsequently told Monzo that they did not find any evidence of the breach.
The problem for Ticketmaster comes from the reporting requirements under GDPR. Any data breach must be reported within 72 hours of the firm learning of it. Ticketmaster claims that they didn’t know about this breach until June, but if Monzo and MasterCard (who apparently issued an account data compromise alert to all banks on the 21st June) are correct, Ticketmaster knew about the data breach much earlier and have breached GDPR. If true, that failure to declare could cost them dearly.