It was announced last week that the credit reference agency Equifax has been fined by the ICO in the sum of £500,000 as a result of failing to protect the personal data of 15 million UK citizens and 146 million in the US during the 2017 data breach.
The long awaited ICO report found that the UK arm did not have in place the appropriate steps for processing and protecting the personal information of its data subjects.
The joint ICO and FCA report highlighted the following :-
- Data was retained for longer than was necessary
- Inadequate measures were in place to manage personal information
- IT security was not of the highest standard with the compromise of data being likely.
- The US Department of Homeland Security had advised Equifax Inc about a critical vulnerability in 2017
- Customers data should have been treated in a much higher regard.
The investigation was carried out under the 1998 Data Protection Act as opposed to the recent General Data Protection Regulation (GDPR) that came into force on 25th May this year. The ICO imposed the maximum GDPR fine of £500,000 under the previous Act.
Under the GDPR the ICO has the powers to set a maximum possible fine of 4% of Global turnover of a company the consequences therefore of this data breach could have been much higher should this data breach have occurred post 25th May this year.
The approach by the ICO to GDPR fines and the imposing of these to businesses who are responsible for data breach is still very much unknown as the climate remains untested and only time will tell how this is imposed and to its possible severity. The Equifax fine does suggest that the ICO will be treating such data breaches very seriously and will wish to demonstrate that the new legislation does have “teeth” and that they will act accordingly.
Image : Shutterstock