Sergey Nivens - Fotolia

UK consumers support fines for firms that lose personal data

Most UK consumers would like the government to take more action to ensure companies protect personal information

A majority of UK consumers would like to see government fines for companies that fail to provide sufficient safeguards for personal information, a survey has revealed.

Some 86% of more than 1,000 UK consumers polled by the Institute of Customer Service (ICS) think the government should review data protection laws, while 77% feel it should do more to protect data from cyber attacks.

The findings of the survey are in line with the recommendations by the Department of Culture, Media and Sport (DCMS) Committee’s inquiry into the October 2015 data breach at TalkTalk, which saw the personal information of 155,000 people compromised.

The committee has published a set of recommendations in its inquiry report for improving data security in the UK, including the introduction of escalating fines for delays in reporting breaches of personal data.  

The report also recommends that the government initiates a public awareness-raising campaign about online scams and allocate more resources to the Information Commissioner’s Office (ICO), the UK’s data protection authority.

Although most UK consumers would like to see more government action on data protection, 62% also believe businesses should do more to safeguard personal information, according to the ICS survey, which was included in a written submission to the DCMS committee’s inquiry.

The ICS survey shows only 13% of respondents are confident that their personal information is protected and only 15% trust organisations do everything possible to prevent security breaches.

Read more about data breaches

“Businesses need to accept responsibility, rather than offer excuses, if customer data is exposed in a cyber security breach” said Jo Causon, chief executive of the ICS.

“Almost one in four consumers say nothing can restore their trust after a data breach, so if cyber security attacks continue at the current pace, business performance will suffer as concerned customers swap loyalty for personal data safety,” she said.

The ICS survey shows that 22% of respondents no longer trust companies that have suffered a breach, while 28% said they avoid organisations that have suffered a breach. In the event of a breach, 41% seek immediate notification, 23% want compensation and 10% look for an apology.

“A customer’s experience is determined not just by performance when things go well, but the promise of performance when things go wrong,” said Causon.

“That’s why the organisations best able to deliver a strong, reassuring and detailed outline of their cyber strategy will set themselves apart from their competitors and go a long way to securing the long-term loyalty of customers,” she said.

Response to inquiry

To reassure customers, the ICS outlines a series of actions businesses can take in its response to the DCMS Committee inquiry.

These include ensuring staff have the appropriate skills to communicate how data is protected and what is happening in the event of a cyber-attack; setting out the approach taken to protect customers’ data so consumers are fully informed and able to make a decision about what to share; and following a consistent set of standards across an organisation so that customer data is continuously protected no matter where it is held or analysed.

“It’s too easy to blame organisations when a breach happens because personal security cannot be wholly delegated by consumers,” she said.

“However, unless UK companies are transparent about their approach and the actions taken when things go wrong, trust will continue to fall. If that happens, loyalty, repeat purchase and recommendations are likely to fall too, which is something organisations can ill afford.”

Security should be a ‘core principle’

The DCMS Committee report recommends that cyber security should sit with someone in a company who is able to take full day-to-day responsibility, with board oversight, and who can be fully sanctioned if the company has not taken sufficient steps to protect itself from a cyber attack.

Companies should also provide well-publicised guidance to existing and new customers on how they will contact customers and how to make contact to verify that communications from the company are genuine, the report said.

The report recommends that security by design should be a core principle for new system and apps development and a mandatory part of developer training, with existing development staff retrained as necessary.

BCS ‘increasingly concerned’ about personal data

BCS, The Chartered Institute for IT has welcomed the DCMS Committee’s report, entitled Cyber Security: Protection of Personal Data Online.

David Evans, BCS policy and community director, said the report includes some “very welcome” suggestions to support organisations in keeping people’s data safe.

“It also underscores that the organisation-centric way we manage data is increasingly under pressure. The measures proposed – while sound – will incrementally help rather than eliminate the underlying dysfunction,” he said.

As an institute whose purpose is to make IT good for society, Evan said the BCS is increasingly concerned about how collection and use of personal data is affecting everyone in society.

“Our own survey results show that security is the top issue keeping IT professionals awake at night, while a separate survey shows that 89% of people in the UK think they should be able to control what data a company collects about them online, and what it uses this data for,” he said.

Evans said this requires some “bigger shared solutions”, as well as incremental improvements. “This is why we are encouraging individuals and organisations to come together and shape the future of personal data,” he said.

Person-centric approach to data

Through its personal data challenge launched in November 2015, the BCS is aiming to bring together interested parties to discuss how people can have control of their personal data. At the same time, organisations will be empowered to use data in more beneficial ways, with genuine trust on both sides.

“The goal is to achieve the full potential of data by seeking the best possible public benefit; to achieve the best outcomes for the most people with the least risk and harm,” said Evans.

“We want common currency; technical and legal systems to unlock the power and utility we know is possible when personal data is aggregated around individuals and organisations.

“We believe that by bringing together people and helping them to work differently. we can collectively deliver those benefits while also increasing public confidence in how personal data is used.

“A person-centric, accessible and understandable approach to data will become the bedrock of 21st century service provision, the trigger for the innovation of a wide range of new business models and services, and one of the means by which social and societal benefits will be achieved,” he said.

Read more on Privacy and data protection