Data Protection fine for breach!

Following the implementation of the General Data Protection Regulations, it has been interesting to keep watch out for those organisations that have not taken steps to ensure compliance with the new regime.  A recent case has emerged in which the Information Commissioner’s Office (ICO) fined the British and Foreign Bible Society £100,000 for data protection breaches.

The Society relies predominantly on donations from supporters and keeps records of their personal data, including payment card and bank account details used to process donations. The Society did have IT security systems in place to protect data but suffered a cyber-attack in which supporters’ personal data was put at risk.

While the ICO accepted that the cyber-attack was not something that the Society could have prevented, it found that the security in place was not sufficiently robust. In particular, the network was protected by an easy-to-guess password. The ICO’s Head of Enforcement said: “Cyber-attacks will happen, that’s just a fact, and we fully accept that they are a criminal act. But organisations need to have strong security measures in place to make it as difficult as possible for intruders.”

Under the new data protection regime, the maximum fine is 20 million Euros or 4% of global turnover, whichever is higher.