What can we learn from this case and what precautions should businesses be taking to avoid any data breaches and subsequent fines?
The news has recently reported that Dixons Carphone has been fined £500,000 for massive data breach. The ICO deemed that there were ‘systemic failures’ found in the retailer’s management and protection of customer data.
The ICO reported (read the ICO’s press release) that the fine came as a result of the retailer failing to secure information of at least 14 million people, when a ‘point of sale’ computer system was compromised. Malware was installed by an attacker on over 5,000 tills at DSG’s, Currys, PC World and Dixons Travel stores between July 2017 and April 2018 . Steve Eckersley, ICO’s Director of Investigations, said: “Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen. The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR”.
So how does the fine work in practice under the new GDPR regulations? Had this action been regulated by GDPR rather than the earlier Data Protection Act 1988, then the ICO would have been free to levy significantly higher penalties. Under GDPR, regulators can enforce penalties of up to £17m or 4% of global turnover. Recent penalties brought under the new legislation have been significantly higher – 183m against British Airways for breach of customer data and 99m against Marriott Hotels for failing to protect the personal data of over 300m guests.
The ICO were concerned that failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen. As such it must be frustrated to be curtailed at issuing a maximum fine of £500k under the historic law. The ICO shared similar frustrations with Facebook when they could only issue a fine of £500k in connection with its role in the Cambridge Analytica scandal.
What can we learn?
Companies should take note that the regulators are flexing their enforcement powers under the new legislation by imposing fines, where merited, which are significantly higher than the previous £500k cap. The ICO’s message has always been that it wants us to ‘live by’ the GDPR principles and it has spent time since the legislation was implemented in May 2018, allowing us all to become familiar with its principles and get our companies in order. The time has come when they feel that we should now be ready and the penalties will be there for those that aren’t! Now is the time for businesses to firm up their data protection procedures, as fines are becoming more commonplace, and could have a significant and damaging affect on businesses of any size.
If you would like any advice on your own data protection procedures please contact Laura Trapnell, Partner and head of our Data Protection team.