The Information Commissioner’s Office (ICO) has imposed a £500,000 fine on UK retailer DSG Retail Limited after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.
Ok, so your company accepts credit cards payments for product sales/service offerings. You value security so you’ve ensured that your website is https (hypertext transfer protocol secure) in order to provide a secured communication over the digital network. But is this enough to safeguard this highly sensitive personal data, which your customers are using in online and offline sales? Have you set up adequate protocols to thwart any malware or hacker attempts? Or do you believe this isn’t something you need to worry explicitly about because… well your site is https. “Secure” is built into the acronym, so what could possibly go wrong? A lot actually, including the possibility of a hefty fine particularly if your clientele are residents within the EU or UK. So we highly implore you to take a detailed look into your company’s safeguards least you find yourself in hot water, much like a UK Retailer, DSG Retail Limited (DSG) who has been fined half a million pounds by the ICO for failing to keep personal information secure.
A January 9, 2020 ICO news article explains that an ICO investigation revealed that an attacker had installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018, and had collected personal data for the nine month period before the attack was detected. DSG’s inadequate security systems therefore resulted in unauthorized access of some 5.6 million payment cards details and the personal information of approximately 14 million people, including full names, post codes, email addresses and failed credit checks from internal servers, the ICO further notes.
“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen . . . The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR,” ICO Director of Investigations, Steve Eckersley, is quoted in the news article.
The £500,000 ICO fine was levied under the Data Protection Act 1998 since the breach took place before the GDPR and DPA 2018 came into effect. Security of Processing is covered under article 32 of the GDPR.
The ICO’s updated Data Sharing Code will provide companies with practical guidelines about how to share personal data in compliance with data protection legislation.
In today’s highly digital, increased-efficiency focused era, data sharing undoubtedly plays a significant role. Indeed major technological shifts in how organizations do business present pretty persuasive arguments for the need for data sharing. Just as prevalent however are the related privacy concerns.
For public and private organizations alike, the balancing act of sharing data without compromising sensitive personal information is vital. Not to mention the need to ensure compliance with GDPR and the Data Protection Act 2018.
The good news is that the update to the ICO data sharing code of practice is well on its way to being finalized.
Prepared under section 121 of the Data Protection Act 2018, the updated ICO data sharing code—currently in draft—will serve as a practical guide for organisations about how to share personal data in compliance with data protection legislation.
As noted in the draft code summary, the code explains the law and provides good practice recommendations. As such, “following it along with other ICO guidance will help companies manage risks; meet high standards; clarify any misconceptions organisations may have about data sharing; and give confidence to share data appropriately and correctly.”
According to the ICO the code will also address many aspects of the new legislation including transparency, lawful bases for processing, the new accountability principle and the requirement to record processing activities.
It is also important to note that in accordance with section 127 of the DPA the ICO will take the code into account when considering whether organisations have complied with their data protection obligations in relation to data sharing. In particular, the Commissioner will take the code into account when considering questions of fairness, lawfulness, transparency and accountability under the GDPR or the DPA. The code can also be used in evidence in court proceedings, and the courts must take its provisions into account wherever relevant.
Public consultations of the draft data sharing code was launched in July and came to an end on September 9th. The draft code is now expect to be approved by Parliament before it becomes a statutory code of practice.
Independent Enquiry into Child Abuse has been fined £200,000 based on ICO children’s data decision.
The ICO has fined the Independent Inquiry into Child Sexual Abuse (IICSA) £200,000, after they sent a bulk email that identified possible victims of non-recent child sexual abuse, according to ICO Children’s data decision.
The Inquiry, set up in 2014 to investigate the extent to which institutions failed to protect children from sexual abuse, did not keep confidential and sensitive personal information secure. This is a breach of the Data Protection Act 1998.
An IICSA staff member sent a blind carbon copy (bcc) email to 90 Inquiry participants telling them about a public hearing, on the 27 February 2017. After noticing an error in the email, a correction was sent but email addresses were entered into the ‘to’ field, instead of the ‘bcc’ field by mistake.
This allowed the recipients to see each other’s email addresses, identifying them as possible victims of child sexual abuse, according to ICO children’s data decision. Fifty-two of the email addresses contained the full names of the participants or had a full name label attached.
ICO fines company for not registering with it and paying the fee, providing some initial guidance on ICO fines policy under GDPR and Data Protection Act 2018.
Noble Design and Build of Telford, Shropshire, which operates CCTV systems in buildings across Sheffield were fined £4,500 in total, ordered to pay costs of £364.08 and a victim surcharge of £170.00.
The company failed to comply with an Information Notice and failed to register with the ICO, even though they were contacted three times, by letter and by email. The company was prosecuted under the terms of the 1998 Data Protection Act because of when the offences took place (September 2017-January 2018). The new Data Protection Act 2018 came into force on the 25 May, and organisations that process personal data have a duty to pay a data protection fee unless they are exempt.
Although this gives us some guidance on ICO fines and enforcement under GDPR and Data Protection Act 2018, one should note the fines are expected to be higher under the two new pieces of legislation.