GDPR Update - ICO Issues Fine Of Half A Million Pounds On National Retailer

Derby Office Icon

The ICO has certainly got the New Year off to a flying start! On Thursday of last week, it fined DSG Retail Limited £500,000 for data protection law breaches associated with a cyber-attack which affected DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018.

As the breaches occurred prior to 25th May 2018 (when the GDPR came into force), the fine was issued under the previous legislation, the Data Protection Act 1998 (‘DPA’). The fine amounted to the maximum penalty that could have been imposed under the DPA and the ICO has indicated that the fine would have been much higher had it been issued under the GDPR.

Once again, the fine related to technical and organisational security failures, which meant that personal data was put at risk. The ICO justified its imposition of the maximum fine possible on various grounds, including:

  • The fact that the vulnerabilities in DSG’s security arrangements were wide-ranging and systemic;
  •  
  • The fact that a number of the inadequacies related to basic, common-place measures required to ensure the security of any system (e.g. a lack of network segregation, failures to patch software and a lack of penetration and vulnerability testing);
  •  
  • The fact that the breaches persisted over a relatively long period of time before being detected (and were only eventually detected by DSG due to an external tip-off);
  •  
  • The amount of personal data involved and the number of individuals affected. The breaches allowed the attacker to access details from 5,646,417 customer payment cards and also exposed the non-financial personal data of approximately 14 million individuals;
  •  
  • The nature of the risks resulting from the breaches – namely, financial theft and identity fraud.
  •  

    Once again, the fine highlights how important it is for organisations to:

    • carry out a thorough risk assessment of the security of their processing;
    •  
    • implement appropriate technical and organisational security measures; and
    •  
    • keep those measures under review to ensure that they remain effective and appropriate.
    •  

      For more information, please contact a member of our Information Law team.


      RELATED:   INFORMATION LAWGDPR


MORE FROM THE ADVICE CENTRE

News

Car Industry Produce Key COVID-19 Guidance for Dealerships
03/06/2020
On 11th May 2020, the Government published its roadmap for the lifting of COVID-19 restrictions. This included plans to allow Car Dealerships to reopen from the 1st June.
more...

Events

Geldards Upcoming Webinars
26/09/2016
To support you through these unprecedented times, Geldards have been holding regular webinars on legal topics relevant to navigating the Covid-19 crisis.
more...

Blogs

CJRS Tapering Down
01/06/2020
The final date to start furlough for any employee will be 10 June. This is because the government have announced that the Coronavirus Job Retention Scheme (the Scheme) will close to new entrants on 30 June 2020.
more...

Publications

Salus – Wealth and Family Protection
11/03/2020
Salus Magazine is brought to you by the Private Client team at Geldards to help you protect your wealth and family.
more...

Content Contacts

PARTNER

Lowri Phillips

LOWRI PHILLIPS

Partner, Cardiff

+44 (0)29 2039 1758
email
more...

HEAD OF KNOWLEDGE MANAGEMENT

Hayley Lewis

HAYLEY LEWIS

Head of Knowledge Management, Cardiff

+44 (0)29 2039 1785
email
more...