“This law is not about fines”
“This law is not about fines” – the Information Commissioner recently commented on the GDPR.
As we all continue to prepare for the GDPR coming into force, the Information Commissioner has recently issued the equal largest fine ever under the Data Protection Act.
Carphone Warehouse has been fined £400,000 (the current maximum is £500,000) after one of its systems was compromised as a result of a cyber-attack. Its failing was not securing the system and allowing unauthorised access to the personal data of over three million customers and a thousand employees.
The compromised data included names, addresses, phone numbers, dates of birth, marital status and some customers’ historic payment card details. The ICO considered that this personal data would significantly affect the privacy of the individuals, putting their data at risk of being misused.
It is clear that the ICO took the view that such a large, well-resourced and well-established company should have been doing more to ensure that its systems were secure and not vulnerable to such attacks.
The data security requirements under the GDPR are more stringent than those currently in force under the Data Protection Act – and of course the maximum fines are much larger.
Organisations need to make sure they are doing all that is required to comply with all of the data protection principles – including the requirement to keep personal data secure.
Please get in touch if you would like advice on the GDPR.