First high profile post-GDPR personal data breach

13th June 2018
Derby Office Icon

Personal data security is one of the highest profile aspects of data protection law. As one of the data protection principles, personal data security is of the utmost importance, not only because of the mandatory personal data breach reporting requirements under GDPR but because of the adverse impact on an organisation’s reputation a personal data breach can have.

This has been demonstrated by the first high profile post-GDPR personal data breach. Dixons Carphone has revealed that it has suffered a cyber security attack which has compromised the personal data of 1.2 million customer records including names, addresses and email addresses. The intrusion also compromised the details of 5.9 million payment cards. The ICO has been notified of the breach under the new post-GDPR mandatory breach notification regime, and individuals affected have also been told that their personal data has been accessed.

Under the GDPR mandatory breach notification requirements, where a personal data breach is likely to result in a risk to individuals (the risk in this instance being identity theft or financial fraud) the ICO must be told. This notification must happen without delay and in any event within 72 hours of becoming aware of the breach. It isn’t clear when this intrusion took place or how long it took Dixons Carphone to discover the breach and report it to the ICO. The breach is now under investigation by the ICO, and these will be key factors in determining what action is taken by the ICO. All eyes are likely to be on the outcome to see whether this results in a large fine for the company in view of the increased levels of fines applicable under the GDPR and the fact that Carphone Warehouse (the mobile phone division of Dixons Carphone) was fined £400,000 in January (the highest fine under the Data Protection Act 1998) following a cyber security attack. The company has already seen a drop in its share price following the report of the latest breach.

From your organisation’s point of view, this is a useful prompt to:

  • Review your security provision generally. Under GDPR controllers are required to ensure the appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Including where employees are entitled to use their own electronic devices (you may need a Bring Your Own Device Policy if you allow employees to use personal devices for work purposes);

  • Ensure that you have your Personal Data Breach Reporting Policy and Procedures in place to ensure that your organisation can respond promptly and effectively to any personal data breach that occurs and notify the ICO and the individuals involved within the required timeframes;

  • Ensure that you have your personal data breach log up and running. All personal data breaches (regardless of whether they require notification to the ICO or the individuals involved) must be logged;

  • Train your staff. Staff awareness of what can amount to a personal data breach and what is required of them if they become aware of a breach are key factors in ensuring your organisation’s compliance with data protection law.

  • For further information about a Personal Data Breach Reporting Policy and Procedure, a Bring Your Own Device Policy for employees, Staff Training or what needs to go in your personal data breach log contact Lowri Phillips, Head of the Information Law Team at Lowri.phillips@geldards.com.

    RELATED:INFORMATION LAW >>GELDARDS GUIDE TO GDPR >> EMPLOYMENT >>


MORE FROM THE ADVICE CENTRE

News

Geldards Lawyers Recognised in the Inaugural UK Hall of Fame
26/07/2018
Eight leading Partners at Geldards have been successfully named in the newly launched ‘Legal 500 UK Hall of Fame’.
more...

Events

Geldards Procurement Briefing
01/10/2017
11th September 2018 - Cardiff
The Geldards Procurement team will be holding a series of six-monthly Procurement Briefings starting 11th September 2018.
more...

Blogs

Chairman's Blog - How can the next generation aspire if we don’t inspire?
16/08/2018
Locally, 57% of children don’t have a GCSE Maths and/or English grade A-C before arriving at college aged 16. With the experience and knowledge in our education system, the technology at our disposal and the business environment we have in the UK, I find this both staggering and disappointing.
more...

Publications

The Geldards Guide For Business - Managing Investigations & Disciplinaries
11/05/2017
Geldards helpful, back to basic guide on managing investigations & disciplinaries. From Being objective to ensuring everything is documented.
more...

PARTNER

Lowri Phillips

LOWRI PHILLIPS

Partner, Cardiff

+44 (0)29 2039 1758
email
more...

PROFESSIONAL SUPPORT LAWYER

Helen Snow

HELEN SNOW

Professional Support Lawyer, Cardiff

+44 (0)29 2039 1497
email
more...

PARTNER

Rhys Wyborn

RHYS WYBORN

Partner, Nottingham

+44 (0)115 983 3706
email
more...