Well, the 25th May 2018 came and went; the GDPR came into force and the sky did not fall. However, organisations that have not taken steps to ensure compliance with the new regime would do well to take note of a recent case in which the Information Commissioner’s Office (ICO) fined the British and Foreign Bible Society £100,000 for data protection breaches.
The Society relies predominantly on donations from supporters and keeps records of their personal data, including payment card and bank account details used to process donations. The Society did have IT security systems in place to protect data but suffered a cyber-attack in which supporters’ personal data was put at risk.
While the ICO accepted that the cyber-attack was not something that the Society could have prevented, it found that the security in place was not sufficient. In particular, the network permitted inappropriate remote access rights and was protected by an easy-to-guess password. The ICO’s Head of Enforcement said: “Cyber-attacks will happen, that’s just a fact, and we fully accept that they are a criminal act. But organisations need to have strong security measures in place to make it as difficult as possible for intruders.”
The fact that supporters’ financial details were put at risk was bad enough. However, the ICO found that it was likely that the 417,000 affected donors’ religious beliefs could be inferred from the data breach, putting them at further risk of identity fraud.
While the £100,000 fine has only recently been imposed, the incidents in question occurred prior to the introduction of the GDPR and were therefore subject to the Data Protection Act 1998. Under the DPA 1998 the maximum fine available to the ICO was £500,000. Under the new data protection regime, the maximum fine is 20 million Euros or 4% of global turnover, whichever is higher.
If you are concerned about GDPR compliance, our suite of documents and useful guidance can be found on the client area of our website.