Thought all that preparation for the arrival of the EU’s General Data Protection Regulation – or GDPR – on May 28 last year was behind you? Think again. Irrespective of Brexit, the data protection show must go on. Theatre owners, ticketing agencies, and other live-entertainment organisations processing personal data can’t afford to be complacent.
We’ve yet to see the UK’s data protection regulator, the Information Commissioner’s Office, issue the eye-watering fines made possible under the GDPR – these can reach up to the greater of €20 million or 4% of worldwide turnover. But it would be unwise to dismiss these sanctions as unlikely to happen. The ICO has spent the past year behind the scenes harmonising its approach with other EU authorities, and is now ready to take the stage and show its regulatory teeth.
Lessons can be learned from the data breach reported by Ticketmaster in June last year, when an attack on its website’s chat tool allowed hackers to steal the personal data (including payment card details) of up to 40,000 customers.
According to Inbenta, the third-party supplier of the chat tool, Ticketmaster used a line of code, which Inbenta had previously modified, on its payments page in a manner not known to or anticipated by Inbenta. Hackers were able to access the code and use it to extract and harvest customer information. This underlines the importance of maintaining full communication with any supply-chain partners who process the personal data you control and the need to ensure that those partners have in place controls at least as secure as your own.
If organisations as well-resourced as Ticketmaster can struggle with the fallout from a data breach, it’s crucial that other entertainment organisations have robust procedures in place
While Ticketmaster did email potentially affected customers, offering them a year’s free use of an identity monitoring service, this wasn’t enough to stop the launch two months ago of a £5 million class action against the company on behalf of more than 650 customers.
If organisations as well-resourced as Ticketmaster can struggle with the fallout from a data breach, it’s crucial that other entertainment organisations, those that control personal data, have robust procedures in place and sufficient trained staff to handle any similar situation. If an organisation suffers a personal data breach, it will have to act quickly to investigate, and, if it’s confirmed as a risk to individuals’ rights and freedoms, notify the ICO within 72 hours. If the breach poses a high risk to the affected individuals’ private lives, they will also need to be notified.
Finally, when (not if) the first GDPR fines are issued by the ICO, these might relate to other contraventions, such as a lack of any lawful basis for processing data. If an organisation manages or markets to a database of patrons, it must ensure it has carefully determined which lawful basis it is relying on when processing a particular personal data set and that it has been clearly communicated to customers in a privacy notice.
With theatregoers’ awareness of their data rights now greatly increased, the more transparent an organisation is about this, the greater its chance of securing their loyalty and avoiding the ICO.
Raj Shah is an associate in the commercial and data privacy teams at Collyer Bristow. collyerbristow.com