Data protection watchdog still has bite

Many will remember the sense of trepidation in the air when GDPR came into effect, with the Information Commissioner’s Office given powers to impose fines for breaches of GDPR of up to the greater of €20 million or 4% or global turnover.

At lot has changed since then (not least Brexit) and while UK GDPR still allows the ICO to impose fines of up to the greater of £17.5 million and 4% of global turnover, the frequency and size of fines actually imposed by the ICO since 2018 has been nowhere near the levels some feared. In fact, the sheer volume of reports and complaints to the ICO gave rise to a perception that workloads were affecting enforcement and some took the view the ICO had returned to the days when it was considered something of a “toothless watchdog”.

However, the £3.07 million fine recently imposed on Advanced Computer Software Group Ltd for failures in respect of a cyber attack putting thousands of NHS records at risk is something of a wake-up call. Advanced was acting as a data processor for the NHS, among others, and held large volumes of personal data on its systems.

The fine was imposed by the ICO for Advanced’s failures to put in place appropriate security measures such a multi-factor authentication, a lack of comprehensive vulnerability scanning and inadequate patch management. Hackers subsequently managed to access Advanced’s systems and a large number of sensitive personal records in the course of a ransomware attack.

It should also be noted that the £3.07 million fine is considerably lower than the £6.09 million fine the ICO had initially indicated it would impose and which was only reduced following representations made by Advanced and the steps it took following the attack to mitigate the impact and improve its processes and procedures.

Of course, cyber attacks of any kind can be very difficult to prevent – the more sophisticated security is put in place, the more sophisticated the attacks become. GDPR recognises that and a cyber attack which results in a data breach will not give rise to a fine unless the organisation targeted has also failed to comply with the data protection principles and put in place appropriate technical or organisational measures. In practice, this means everything from ensuring security patches are up to date to providing staff with training on not opening suspicious attachments.

For those individuals affected by a serious data breach, the results can be devasting with the most personal details up for sale on the dark web and, in some cases, safety and wellbeing put at risk. For those organisations affected the financial and reputational risks are also huge, with the potential for fines, civil claims for damages and loss of business from those who do not feel confident in their providers.

We now live in a world where most of us recognise the reality that no entity can ever guarantee its systems are impenetrable but most of us do also expect organisations to do what they can to make them robust. The fine imposed on Advance demonstrates just one of the consequences of failing to do so.

BTO’s IP, Tech & Data Protection team can provide advice and support on data protection compliance and dealing with the effects of a data breach.