First high profile post-GDPR personal data breach

13th June 2018
Derby Office Icon

Personal data security is one of the highest profile aspects of data protection law. As one of the data protection principles, personal data security is of the utmost importance, not only because of the mandatory personal data breach reporting requirements under GDPR but because of the adverse impact on an organisation’s reputation a personal data breach can have.

This has been demonstrated by the first high profile post-GDPR personal data breach. Dixons Carphone has revealed that it has suffered a cyber security attack which has compromised the personal data of 1.2 million customer records including names, addresses and email addresses. The intrusion also compromised the details of 5.9 million payment cards. The ICO has been notified of the breach under the new post-GDPR mandatory breach notification regime, and individuals affected have also been told that their personal data has been accessed.

Under the GDPR mandatory breach notification requirements, where a personal data breach is likely to result in a risk to individuals (the risk in this instance being identity theft or financial fraud) the ICO must be told. This notification must happen without delay and in any event within 72 hours of becoming aware of the breach. It isn’t clear when this intrusion took place or how long it took Dixons Carphone to discover the breach and report it to the ICO. The breach is now under investigation by the ICO, and these will be key factors in determining what action is taken by the ICO. All eyes are likely to be on the outcome to see whether this results in a large fine for the company in view of the increased levels of fines applicable under the GDPR and the fact that Carphone Warehouse (the mobile phone division of Dixons Carphone) was fined £400,000 in January (the highest fine under the Data Protection Act 1998) following a cyber security attack. The company has already seen a drop in its share price following the report of the latest breach.

From your organisation’s point of view, this is a useful prompt to:

  • Review your security provision generally. Under GDPR controllers are required to ensure the appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Including where employees are entitled to use their own electronic devices (you may need a Bring Your Own Device Policy if you allow employees to use personal devices for work purposes);

  • Ensure that you have your Personal Data Breach Reporting Policy and Procedures in place to ensure that your organisation can respond promptly and effectively to any personal data breach that occurs and notify the ICO and the individuals involved within the required timeframes;

  • Ensure that you have your personal data breach log up and running. All personal data breaches (regardless of whether they require notification to the ICO or the individuals involved) must be logged;

  • Train your staff. Staff awareness of what can amount to a personal data breach and what is required of them if they become aware of a breach are key factors in ensuring your organisation’s compliance with data protection law.

  • For further information about a Personal Data Breach Reporting Policy and Procedure, a Bring Your Own Device Policy for employees, Staff Training or what needs to go in your personal data breach log contact Lowri Phillips, Head of the Information Law Team at




Geldards Advises on First Employee Ownership Trust in Welsh Television Industry
Geldards’ Cardiff based corporate team are advising one of Wales’ most successful independent TV companies, Cwmni Da, as it becomes owned by an Employee Ownership Trust.


New Electronic Communications Code - Seminar
23rd October 2018 - Cardiff
The Geldards Commercial Property and Property Dispute Resolution Teams would like to invite you to an upcoming seminar to discuss the new Electronic Communications Code.


Chairman's Blog - How can the next generation aspire if we don’t inspire?
Locally, 57% of children don’t have a GCSE Maths and/or English grade A-C before arriving at college aged 16. With the experience and knowledge in our education system, the technology at our disposal and the business environment we have in the UK, I find this both staggering and disappointing.


Salus – Wealth and Family Protection
Salus Magazine is brought to you by the Private Client team at Geldards to help you protect your wealth and family.


Lowri Phillips


Partner, Cardiff

+44 (0)29 2039 1758


Helen Snow


Professional Support Lawyer, Cardiff

+44 (0)29 2039 1497


Rhys Wyborn


Partner, Nottingham

+44 (0)115 983 3706