The EasyJet data breach which came to light a couple of days ago is one of the largest breaches to affect a UK company to date. EasyJet has admitted that the personal data of over 9 million customers has been compromised, including the credit card details of 2,208 individuals. The possibility of a large regulatory fine now hangs over EasyJet - something it could well do without in these already challenging times.
We’ve already seen the ICO wield its new powers under the GDPR (just last summer, it imposed an £183 million fine on British Airways, amounting to 1.5% of British Airway’s 2017 worldwide turnover). The ICO won’t be afraid to exercise those powers again, should it emerge that EasyJet’s security measures were not up to scratch. In a worst-case scenario, if the ICO imposed the maximum penalty of 4% of annual worldwide turnover on EasyJet, the fine could be in the region of £250 million.
At a time when no organisation wants to face a regulatory fine for a personal data breach, what are the key GDPR requirements to keep in mind when it comes to the security of personal data?
- The GDPR does not list specific security measures which an organisation must put in place. Instead, organisations are required to implement appropriate technical and organisational measures to ensure the security of the personal data they process.
- This means that organisations are required to take a risk-based approach and implement a level of security that is appropriate to the processing they are carrying out and the level of risk that processing represents. Consequently, what is appropriate for one organisation, will not necessarily be appropriate for another.
- When assessing the level of risk, organisations need to take into account a wide range of factors, including:
- The nature of the personal data being processed (for example, how sensitive or confidential is it?);
- What is being done with the data (for example, will it be regularly accessed or transmitted?);
- The damage or distress which might occur if a breach took place. This could range from identity fraud to embarrassment or inconvenience;
- The ‘state of the art’, in terms of current security recommendations and measures within your industry sector; and
- The cost of implementation.
- The security measures implemented need to protect against more than just cyber-attacks. Organisations must think about their physical and organisational security, as well as technical protection. Organisational measures include ensuring that there is clear accountability for security within an organisation, training staff and having a suitable information security policy. Physical security involves a number of different factors, from ensuring the security of premises and controlling access to premises, to keeping IT equipment secure.
- When assessing security risks, organisations need to think about more than just preventing the theft of or unauthorised access to, personal data. The GDPR requires organisations to ensure the confidentiality, integrity and availability of the personal data they process. Organisations, therefore, need to be confident that the security measures they put in place ensure that:
- Personal data can only be accessed, altered, deleted or disclosed by those who have authority to do so;
- They have the means to recover personal data which is lost, altered or destroyed (e.g. by ensuring back-ups are created); and
- The personal data they need to use is complete and accurate
- The GDPR specifically requires organisations to have a process for regularly testing, assessing and evaluating the effectiveness of their security measures (e.g. by undertaking penetration testing). It also requires organisations to put in place appropriate technical and organisational measures which enable them to establish immediately whether a personal data breach has taken place.
So, there is a lot to take into account when it comes to the security of personal data and organisations need to ensure that they assess and address all relevant factors.
If you’d like more information about the requirements under the GDPR relating to the security of personal data, feel free to contact a member of our Information Law team.
Useful guidance can also be found on the ICO’s website - see here
RELATED: INFORMATION LAW