The Dixons Carphone data breach reported this week is the first significant breach of customer personal data in the UK since GDPR came into force. Data protection lawyers like ourselves will be monitoring the fallout (it’s the second breach at Dixons Carphone in three years) to see how the ICO approaches such a significant breach of personal information. As we know firms can face a £20 million fine under GDPR and Dixons share price has already fallen sharply following the news. Is the market anticipating a significant fine?
DOES GDPR APPLY?
Fortunately for the company there’s a chance it could escape the huge fines that can be levied under GDPR. That’s because, while the breach was reported after GDPR came into force, a company spokesperson has said the breach actually occurred while the old Data Protection Act (DPA) applied. For Dixons that means instead of a fine potentially in the millions, any sanction could be limited to £500,000 – the maximum penalty under the DPA. The Information Commissioner however seems to be keeping her powder dry – if her statement on the subject is anything to go by. Of the Dixon breach the ICO website says :
“ It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts” (The 2018 Act refers to GDPR).
WHAT HAPPENED AT DIXONS CARPHONE?
During a systems review the company discovered unauthorised access to 5.9 million customers’ cards and access to 1.2million personal details. No fraud has been detected. The company has apologised and, with the help of cybersecurity experts, has taken steps to curtail the unauthorised access.
The company has apologised, saying it had fallen short of what customers expect. It intends to write to affected individuals immediately explaining what has happened and outlining the steps they can take to protect their data in future.
REPORTING BREACHES AND GDPR
Dixons response to the breach reflects the requirements of GDPR. Under the new legislation companies must report certain types of data breach to the ICO. It’s important to remember that you don’t need to report every breach. Your organisation must make a judgment call as to the likelihood and severity of the resulting risk to the rights and freedoms of those affected.
If there is a risk you should notify the ICO. If you decide there isn’t a risk to rights and freedoms you don’t have to report the breach. But you may be required to justify your decision later so you should document your reasons for non-notification. If the risk is high you should inform affected individuals as soon as possible.
HOW WE CAN HELP
These reporting responsibilities mean any organisation that processes data should now have effective internal procedures in place to investigate and report breaches when they occur.
There is a wealth of information on the ICO website aimed at supporting companies that are getting to grips with the new data protection landscape. From a practical point our experience at Big Data Law is that many businesses need more bespoke advice on GDPR compliance. As a result we work closely with a range of organisations to develop robust data protection procedures. We offer a range of GDPR packages to ensure ongoing GDPR compliance. Our services include assisting with the preparation of breach response plans and effective internal escalation procedures in the event of a security breach.
For more information please call us on 0203 670 5540.