It seems like an obvious thing. Being responsible for vast quantities of personal data on behalf of your customers—and in this case employees too—data security should be at the top of the priority list for all firms.
Vast organisations, such as Carphone Warehouse (in the news this week for an appalling data breach, and heavily fined for it), are indeed well resourced but important internal knowledge can be lost in transitions of people and systems over time. Although it's not clear from reporting exactly how the hackers were able to access such data, the use of the phrase "using an out of date version of WordPress" is horribly alarming.
NOW is the time for all companies who are in the midst of GDPR preparations, to take solid steps to put data security to the top of the agenda. Clearly, we are all keen that firms don't bore us endlessly with unwanted marketing emails and spam, so many companies are focussing on consent, a small part of the entire GDPR ethos. For the average person however, this pales into insignificance when set against the risk of having our personal financial data fall into the hands of unscrupulous hackers.
Not everyone will of course face such a large fine, but under GDPR you will be held accountable for breaches and any firm can be a target.
With four months to go, there's still a lot to do.
The Information Commissioner, Elizabeth Denham, said: "A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks. "Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures."