GDPR Update - ICO Issues Fine Of Half A Million Pounds On National Retailer

Derby Office Icon

The ICO has certainly got the New Year off to a flying start! On Thursday of last week, it fined DSG Retail Limited £500,000 for data protection law breaches associated with a cyber-attack which affected DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018.

As the breaches occurred prior to 25th May 2018 (when the GDPR came into force), the fine was issued under the previous legislation, the Data Protection Act 1998 (‘DPA’). The fine amounted to the maximum penalty that could have been imposed under the DPA and the ICO has indicated that the fine would have been much higher had it been issued under the GDPR.

Once again, the fine related to technical and organisational security failures, which meant that personal data was put at risk. The ICO justified its imposition of the maximum fine possible on various grounds, including:

  • The fact that the vulnerabilities in DSG’s security arrangements were wide-ranging and systemic;
  •  
  • The fact that a number of the inadequacies related to basic, common-place measures required to ensure the security of any system (e.g. a lack of network segregation, failures to patch software and a lack of penetration and vulnerability testing);
  •  
  • The fact that the breaches persisted over a relatively long period of time before being detected (and were only eventually detected by DSG due to an external tip-off);
  •  
  • The amount of personal data involved and the number of individuals affected. The breaches allowed the attacker to access details from 5,646,417 customer payment cards and also exposed the non-financial personal data of approximately 14 million individuals;
  •  
  • The nature of the risks resulting from the breaches – namely, financial theft and identity fraud.
  •  

    Once again, the fine highlights how important it is for organisations to:

    • carry out a thorough risk assessment of the security of their processing;
    •  
    • implement appropriate technical and organisational security measures; and
    •  
    • keep those measures under review to ensure that they remain effective and appropriate.
    •  

      For more information, please contact a member of our Information Law team.


      RELATED:   INFORMATION LAWGDPR


MORE FROM THE ADVICE CENTRE

News

Geldards is proud to supports Wallich Wills Month
24/01/2020
Geldards is proud to be supporting the Wallich Wills Month, which is taking place during February 2020.
more...

Events

Preventative injunctions against squatters and fly-tippers
01/03/2008
4th March 2020 - Derby
Come and hear how we can help you protect your assets and your ratepayers, whilst saving money and internal Council resources at the same time.
more...

Blogs

NHS facing large clinical negligence legal fees bill
22/01/2020
Geldards Partner and Clinical Negligence specialist, Spencer Collier, comments on the recent news regarding the NHS facing large clinical negligence legal fees bill
more...

Publications

Salus – Wealth and Family Protection
02/10/2018
Salus Magazine is brought to you by the Private Client team at Geldards to help you protect your wealth and family.
more...

Content Contacts

PARTNER

Lowri Phillips

LOWRI PHILLIPS

Partner, Cardiff

+44 (0)29 2039 1758
email
more...

HEAD OF KNOWLEDGE MANAGEMENT

Hayley Lewis

HAYLEY LEWIS

Head of Knowledge Management, Cardiff

+44 (0)29 2039 1785
email
more...