We think that it’s well worth talking about GDPR in the context of the last twelve months worth of data breaches that we have seen in the UK and believe that GDPR may help reduce at least some of your exposure.  You may already know that GDPR gives you the right to request companies delete all of data that they hold on you and we think that this is a great way to proactively remove your data from databases before they get breached (if they have not already been breached).

According to UK government figures more than half of UK businesses have suffered some sort of cyberattack. Being that there are something like five and a half million companies in the UK, we can infer that at least two million businesses in the UK have been attacked by cyber criminals at some point over the last few years.

If only a small number of those companies have your data, that data will be taken by the cyber thieves should the company ever suffer from a data breach in a cyber attack. Here are some of the most well known UK data breaches from the last twelve months alone, but there are many more and many of them go unreported.

Sports Direct – This data breach was badly handled by high street retailer Sports Direct, who didn’t report the breach until more than three months after it happened.  Cyber criminals made away with the personal information (including national insurance numbers) of 30,000 people which included Sports Direct employees.

ABTA – The association of travel agents and tour operators, ABTA, became the victim of a data breach in February 2017 which affected more than forty thousand people. Oddly the data stolen contained the personal details of people who had complained to ABTA, as well as the details of their complaints to the association.

Three – The UK mobile phone operator suffered a major breach in March 2017 when their data was stolen by hackers who made off with the personal details of more than two hundred thousand of Three’s customers.  This follows a similar breach Three suffered from in 2015 when yet more of their customer data was stolen.

Debenhams – In May 2017 a malware attack on the historic high street retailer Debenhams exposed the personal details of more than twenty six thousand of their customers, although the breach occurred through one of their partners, meaning that even if a company secures your data properly, their partners might not be.

Wonga – A particularly serious data breach that affected more than two hundred and fifty thousand of the payday lenders customer records in May 2017.  Because Wonga holds a lot of financial information on their customers, this data included bank account details, addresses, phone numbers and more.

Dixons – The high street electronics retailer suffered a major data breach when more than one million of their customers personal details were exposed, included names, home addresses and email addresses.  Hackers attempted to compromise 5.9 million credit card records from their processing system, but because most of these cards had chip and pin protection, the data did not include CVV codes or PIN numbers.

London Bridge Plastic Surgery Clinic – When this prestigious plastic surgery clinic (with celebrity customers) suffered from a cyber attack in October 2017, the extremely personal details of their customers were stolen including pictures of genital surgery and breast enhancement before and after pictures. This breach comprised their entire customer database and the associated customer pictures.

BUPA – When private health company BUPA managed to lose more than one hundred thousand customer records and the associated medical details, a data breach perpetrated by one of their own employees.  The employee was later discovered and arrested by the police, but that health data is still out there.

Against the backdrop of these and other UK data breaches, its fair to assume that there are some companies out there who are holding your data and who will at some point get breached.  The question that you have to ask yourself is “do these companies need to hold my data” and if the answer is no, then GDPR gives you the right to demand that they delete all of your data, the ‘right to be forgotten’.

The idea is that if a company does not have your data, then your data cannot be leaked if that company ever loses data in a cyberattack.  GDPR means that the days of companies hoarding your personal data, just because they can, are long gone.

Now there is no way of getting a list of all the companies who hold data on you, such a thing does not exist yet, but GDPR also means that companies who do hold your data have to contact you and ask for your permission to hold it.

A company needs your explicit consent in order to hold data on you and by law have to ask you for your explicit permission to hold this data.  Whenever a company contacts you and asks you for this permission, then you know they have some sort of data about you. Under GDPR you have the right to demand to see all of the data they hold on you and this is something that we think is well worth doing.

You need to ask yourself if the company really needs your data and if the answer is no, ask them to delete it and then to confirm its deletion to you as is your legal right.