The UK’s data protection regulator the Information Commissioner’s Office (ICO) recently fined the retailer DSG, parent firm of Currys PC World and Dixons Travel a maximum £500,000 under the 1998 Data Protection Act for a data security failure at their stores between July 2017 and April 2018, whereby malware let criminals collect personal data such as failed credit checks, and email addresses. Arguably as significant was a fine under the new, 2018 Act, against a London-based pharmacy – £275,000 for failing to ensure the security of special category data; by leaving it in unlocked containers outside its premises. Thomas Owen, Head of Security at IT managed services and cloud provider Memset comments on the law after the 2018 EU-wide general data protection regulation (GDPR).
The ICO maintains genuinely useful, short form guidance on GDPR/DPA 2018 compliance. CTOs should at least familiarise themselves with this, as ignorance isn’t a defence.
GDPR’s key principles are around lawfulness, fairness, transparency, limitation of processing, accuracy and minimisation of data, and security. This is a range of policy stances with technical backbones, and one hard operational discipline. While CTOs might be tempted to focus on the ‘tractable’ problems like cybersecurity, just remember most enforcement actions are actually handed out for violations of collection, use or quality of data.
If you have questions, or in the event of a breach, remember that the ICO is a ‘good’ regulator. They appear to respond to good governance, transparency and cooperation by taking a consultative approach. Its remit has expanded exponentially in comparison to their resources, so I’m certain they appreciate the easy customers.
In the cybersecurity space, DPA 2018 doesn’t expect perfection, and neither do the ICO. The act might refer to ‘the state of the art’, but controls and investment appropriate to the organisation and the scale and sensitivity of data you process are the key, and a narrative of continual improvement. (So, ISO27001 ‘done right.) Article 25(1) outlines the proportionality requirement.
If you are collecting data unethically, using data for purposes outside of your published scope, become breached due to significant underperformance in cybersecurity, or otherwise violating the key principles, you’re acting illegally. Don’t do that.
The lawful basis for processing and collecting data can be a minefield. Data subject consent is the least reliable, most ephemeral lawful basis for processing, so talk to your legal advisors and opt for any other lawful basis first. Consent cannot be a precondition for service, it must be revocable and must be continually reviewed and refreshed.
As we have seen from recent mega-breaches, if you know about a critical vulnerability in key or public facing infrastructure, you really can’t afford to ignore it. That would be a do-not-pass-go violation of Art 25(1) and you will be sure to land yourself in the hottest water. Besides, with today’s hostile internet, that kind of issue will almost certainly be exploited.
The threshold for a reportable breach is based on the risk of a material impact on the rights and freedoms of the users’ data. If you suspect the threshold has been reached, report to the ICO early and openly. It is far better to be standing down a happy regulator, than attempting to appease an angry one. Once breached, data is likely to become public at some point, so there’s no point trying to hide.
In the event of a breach, the worst thing you can do is fear the fine. Focus on solid incident response and remedial actions, escalate to the ICO early and make sure your narrative is one of ‘doing the right thing.’ Fines are at one end of the ICO’s enforcement powers, and they tend to use less severe methods wherever possible. And if you do represent a mega-corp, your legal budget alone dwarfs their entire legal action fund for the year!
