ICO fine

The ICO has imposed a fine on UK retailer due to poor security safeguards

The Information Commissioner’s Office (ICO) has imposed a £500,000 fine on UK retailer DSG Retail Limited after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.

Ok, so your company accepts credit cards payments for product sales/service offerings. You value security so youve ensured that your website is https (hypertext transfer protocol secure) in order to provide a secured communication over the digital network. But is this enough to safeguard this highly sensitive personal data, which your customers are using in online and offline sales? Have you set up adequate protocols to thwart any malware or hacker attempts? Or do you believe this isnt something you need to worry explicitly about because… well your site is https. “Secure” is built into the acronym, so what could possibly go wrong? A lot actually, including the possibility of a hefty fine particularly if your clientele are residents within the EU or UK. So we highly implore you to take a detailed look into your companys safeguards least you find yourself in hot water, much like a UK Retailer, DSG Retail Limited (DSG) who has been fined half a million pounds by the ICO for failing to keep personal information secure.

A January 9, 2020 ICO news article explains that  an ICO investigation revealed that an attacker had installed malware on 5,390 tills at DSGs Currys PC World and Dixons Travel stores between July 2017 and April 2018, and had collected personal data for the nine month period before the attack was detected. DSGs inadequate security systems therefore resulted in unauthorized access of some 5.6 million payment cards details and the personal information of approximately 14 million people, including full names, post codes, email addresses and failed credit checks from internal servers, the ICO further notes.

Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen . . . The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR,ICO Director of Investigations, Steve Eckersley, is quoted in the news article.

The £500,000 ICO fine was levied under the Data Protection Act 1998 since the breach took place before the GDPR and DPA 2018 came into effect. Security of Processing is covered under article 32 of the GDPR.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and UK Data Protection Act? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.  We can help your company get on track towards full compliance. Contact us today.

Data sharing code

ICO launches new Data Sharing Code in line with GDPR and DPA 2018

The ICO’s updated Data Sharing Code will provide companies with practical guidelines about how to share personal data in compliance with data protection legislation.

In today’s highly digital, increased-efficiency focused era, data sharing undoubtedly plays a significant role. Indeed major technological shifts in how organizations do business present pretty persuasive arguments for the need for data sharing. Just as prevalent however are the related privacy concerns.

For public and private organizations alike, the balancing act of sharing data without compromising sensitive personal information is vital. Not to mention the need to ensure compliance with GDPR and the Data Protection Act 2018.

The good news is that the update to the ICO data sharing code  of practice is well on its way to being finalized.

Prepared under section 121 of the Data Protection Act 2018, the updated ICO data sharing code—currently in draft—will serve as a practical guide for organisations about how to share personal data in compliance with data protection legislation.

As noted in the draft code summary, the code explains the law and provides good practice recommendations. As such, “following it along with other ICO guidance will help companies manage risks; meet high standards; clarify any misconceptions organisations may have about data sharing; and give confidence to share data appropriately and correctly.”

According to the ICO the code will also address many aspects of the new legislation including transparency, lawful bases for processing, the new accountability principle and the requirement to record processing activities.

It is also important to note that in accordance with section 127 of the DPA the ICO will take the code into account when considering whether organisations have complied with their data protection obligations in relation to data sharing. In particular, the Commissioner will take the code into account when considering questions of fairness, lawfulness, transparency and accountability under the GDPR or the DPA. The code can also be used in evidence in court proceedings, and the courts must take its provisions into account wherever relevant.

Public consultations of the draft data sharing code was launched in July and came to an end on September 9th. The draft code is now expect to be approved by Parliament before it becomes a statutory code of practice.

 

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

GDPR student data

ICO children’s data fine imposed

Independent Enquiry into Child Abuse has been fined £200,000 based on ICO children’s data decision.

The ICO has fined the Independent Inquiry into Child Sexual Abuse (IICSA) £200,000, after they sent a bulk email that identified possible victims of non-recent child sexual abuse, according to ICO Children’s data decision.

The Inquiry, set up in 2014 to investigate the extent to which institutions failed to protect children from sexual abuse, did not keep confidential and sensitive personal information secure. This is a breach of the Data Protection Act 1998.

An IICSA staff member sent a blind carbon copy (bcc) email to 90 Inquiry participants telling them about a public hearing, on the 27 February 2017. After noticing an error in the email, a correction was sent but email addresses were entered into the ‘to’ field, instead of the ‘bcc’ field by mistake.

This allowed the recipients to see each other’s email addresses, identifying them as possible victims of child sexual abuse, according to ICO children’s data decision. Fifty-two of the email addresses contained the full names of the participants or had a full name label attached.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.

ICO fines

ICO fines for failure to pay fee

ICO fines company for not registering with it and paying the fee, providing some initial guidance on ICO fines policy under GDPR and Data Protection Act 2018.

ICO fines

Noble Design and Build of Telford, Shropshire, which operates CCTV systems in buildings across Sheffield were fined £4,500 in total, ordered to pay costs of £364.08 and a victim surcharge of £170.00.

The company failed to comply with an Information Notice and failed to register with the ICO, even though they were contacted three times, by letter and by email. The company was prosecuted under the terms of the 1998 Data Protection Act because of when the offences took place (September 2017-January 2018). The new Data Protection Act 2018 came into force on the 25 May, and organisations that process personal data have a duty to pay a data protection fee unless they are exempt.

Although this gives us some guidance on ICO fines and enforcement under GDPR and Data Protection Act 2018, one should note the fines are expected to be higher under the two new pieces of legislation.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.