EU GDPR – Security of personal data

Last week, the Information Commissioner’s Office (ICO) fined Royal & Sun Alliance Insurance (RSA) £150,000 for failing to keep customers’ information safe. The fine was issued following the theft from one of its offices of a hard drive containing 60,000 customers’ names, addresses and bank account details, including account numbers and sort codes.

The ICO investigation found that RSA did not have adequate measures in place to protect the customer information. Steve Eckersley, the ICO’s head of enforcement, said:  “There are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of equipment. RSA did not do any of this and that’s why we’ve issued this fine.”

Data security plays a prominent role in the new General Data Protection Regulation (GDPR). Compared to the current Data Protection Act (DPA), the GDPR imposes stricter obligations on organisations with regard to data security while simultaneously offering more guidance on appropriate security standards.

Under the new regulation, organisations are required to “implement appropriate technical and organisational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.”

Unlike the previous Data Protection Directive, however, the GDPR provides suggestions for the kinds of security actions that might be considered “appropriate to the risk,” including:

  • The pseudonymisation and encryption of personal data.
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  • The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In the event of a data security breach under the GDPR, organisations that fail to demonstrate appropriate technical and organisational compliance can expect fines of up to 2% of annual global turnover or €10 million – whichever is greater.

In this instance, Royal & Sun Alliance Insurance got off rather lightly in terms of the financial penalty incurred. The reputational damage, however, will be significantly greater, with almost 60,000 customers dealing with the stress of their confidential information potentially falling into criminal hands.

For further information on the new Regulation and its application, the following publication is recommended:

EU GDPR – An Implementation and Compliance Guide

This clear and comprehensive guide provides detailed commentary on the GDPR, and practical implementation advice on the compliancy measures needed for your data protection and information security regimes. Buy now >>