£400k and we haven’t even started GDPR yet
A few days ago, the Information Commissioner’s Office (ICO) slapped a meaty £400,000 fine on Carphone Warehouse for a data breach it suffered in 2015.
Due to the company’s out-of-date WordPress sites, hackers were able to steal personal data on more than three million customers and over 1,000 employees.
Under current rules, the fine is just shy of the maximum £500,000 it could have been fined. However, as some commentators have remarked, that could have been a much higher figure if General Data Protection Regulation (GDPR) were being enforced. Indeed, at a maximum of 4% of turnover, it could have been around £17 million.
The Carphone Warehouse Reality
Of course, that’s completely theoretical. Although GDPR allows for such massive fines, there’s no way of knowing whether the ICO would have hit Carphone Warehouse with the full weight of the law. Indeed, the fact it didn’t fine the company the full 500 grand it could have might suggest that it saw this as a decidedly 400k kind of offence.
That said, Information Commissioner Elizabeth Denham was fairly damning of Carphone Warehouse’s conduct:
“A company as large, well-resourced and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
Clearly, then, Carphone Warehouse should have done better, and the potentially enormous fines of GDPR are meant to be a deterrent against such negligence – so maybe it really did get off lightly…
What Does This Mean For SMEs?
Whatever the case, it’s interesting that the ICO should bring up the size of the company. All businesses and organisations have a duty of care when it comes to data protection, but there’s no doubt big corporations with larger amounts of data are judged more harshly for their transgressions. The same logic will probably apply when GDPR comes into force on 25th May 2018.
These big money headlines draw in clicks for websites, and they act as a useful reminder to take data protection seriously. But owners of small- and medium-sized businesses shouldn’t be led to panic. If they have good cyber security solutions; make regular, encrypted backups of data; and treat personal data with the respect it deserves, they are unlikely to be hauled over the coals in the aftermath of a data breach. Plus the standards expected of them will pale in comparison with what big businesses like Carphone Warehouse will have to achieve in this area.
Maybe the most important lesson of all is that it’s important to maintain a sense of perspective when looking at these fines.