The government department that is responsible for implementing the General Data Protection Regulation (GDPR) has committed an email faux pas with UK journalists which could also mean it has broken its own rules.
Flagged by Guardian journalist Alex Hern on Twitter, the email was regarding its announcement on age verification rules on online pornography. Hern tweeted: "DCMS has just announced that the porn filters are coming online on July 15, in an email that cc's every media and technology journalist in Britain."
According to the Information Commissioner's Office (ICO)'s website, "The GDPR applies wherever you are processing ‘personal data.' If the email addresses make obvious the name, such as 'initials.lastname@company.com,' GDPR will apply."
Furthermore, the GDPR protects people from being cold-emailed or spammed requiring explicit consent from individuals. If anyone on the mailing list didn't consent to being on it, there might be a breach.
What counts as consent?
- Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data
- Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly
- Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity
- You must make it easy for people to withdraw consent at any time they choose
While DCMS is a high-profile organization, breaches due to human error are not uncommon. In the last two years of reports of UK data breaches to the ICO, just 12% were the result of malicious attacks, according to Kroll. This means that 88% were the result of human error.
"Effective cybersecurity is not just about technology. Often, companies buy the latest software to protect themselves from hackers, but fail to instigate the data management processes and education of employees required to mitigate the risks," said Kroll managing director, Andrew Beckett, to Infosecurity Magazine in September 2018. "The majority of data breaches, and even many cyber-attacks, could be prevented by human vigilance or the implementation of relatively simple security procedures."
The ICO confirmed it was aware of the incident, commenting: "We are in contact with the Department for Digital, Culture, Media and Sport regarding today’s email incident."