https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-breach/

April was an extremely busy month for the ICO with a number of enforcement actions being taken as well as two consultations on the important issues of consent and profiling under GDPR. These consultations have now closed and we must wait patiently to hear what the output will be. Whilst the consultation on profiling only closed at the end of last week, the consent consultation closed earlier and the ICO has indicated that it received a significant response. You can see the ICO’s initial statement on the response by clicking on the link below.

Draft GDPR Consent guidance receives a significant response

The latest fine issued by the ICO highlights that “cyber security must be a top priority for businesses regardless of size”.

This fine came as a result of an investigation by the ICO which concluded that an online construction materials business had failed to implement appropriate technical and organisational measures to protect its customer data. In particular, the investigation found that the organisation had failed to identify that its website contained a coding error which left it vulnerable to attack. This vulnerability was subsequently exploited by hackers who gained access to 669 unencrypted cardholder details including names, addresses, account numbers and security codes.

Whilst the investigation highlighted that the retailer had not intended to bypass the law, it also made clear that oversight is not an excuse. As such, organisations must ensure that they do detect vulnerabilities in their security systems and ensure that the security measures they have in place are adequate to protect the personal data entrusted to them.

The ICO’s Head of Enforcement Steve Eckersley commented that “this fine must serve as a warning to other small and medium-sized firms that the security of their customers’ personal information must come first”.