“This law is not about fines”
“This law is not about fines” – the Information Commissioner recently commented on the GDPR.
As we all continue to prepare for the GDPR coming into force, the Information Commissioner has recently issued the equal largest fine ever under the Data Protection Act.
Carphone Warehouse has been fined £400,000 (the current maximum is £500,000) after one of its systems was compromised as a result of a cyber-attack. Its failing was not securing the system and allowing unauthorised access to the personal data of over three million customers and a thousand employees.
The compromised data included names, addresses, phone numbers, dates of birth, marital status and some customers’ historic payment card details. The ICO considered that this personal data would significantly affect the privacy of the individuals, putting their data at risk of being misused.
It is clear that the ICO took the view that such a large, well-resourced and well-established company should have been doing more to ensure that its systems were secure and not vulnerable to such attacks.
The data security requirements under the GDPR are more stringent than those currently in force under the Data Protection Act – and of course the maximum fines are much larger.
Organisations need to make sure they are doing all that is required to comply with all of the data protection principles – including the requirement to keep personal data secure.
Please get in touch if you would like advice on the GDPR.
This update is for general purposes and guidance only and does not constitute legal or professional advice. You should seek legal advice before relying on its content. This update relates to the prevailing circumstances at the date of its original publication and may not have been updated to reflect subsequent developments. If you have general queries about our updates, please email: firstname.lastname@example.org