General Data Protection Regulation – Security of personal data - BLACKMORE RICOTECH

General Data Protection Regulation – Security of personal data

24th January 2017

The UK’s Data Protection Authority (ICO) last week fined Royal & Sun Alliance (RSA) – a leading UK insurance company – £150.000 (€170.000) for failing to keep customers’ information safe. The fine was issued following the theft from one of its offices of a hard drive device containing 60.000 customers’ names, addresses and bank account details, including account numbers and sort codes.

The ICO investigation found that RSA did not have adequate measures in place to protect the customer information. ICO’s head of enforcement said:  “There are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of equipment. RSA did not do any of this and that’s why we’ve issued this fine.”

Data security plays a prominent role in the new General Data Protection Regulation (GDPR). Compared to current national data protection laws based on the 1995 Data Protection Directive, the GDPR imposes stricter obligations on organisations with regard to data security while simultaneously offering more guidance on appropriate security standards.

Under Article 32, EU organisations are required to “implement appropriate technical and organisational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.”

Unlike the Directive, however, the GDPR provides suggestions for what kinds of security actions might be considered “appropriate to the risk,” including:

  • The pseudonymisation and encryption of personal data.
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  • The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In the event of a data security breach under the GDPR, organisations that fail to demonstrate appropriate technical and organisational compliance can expect fines of up to 2% of annual global turnover or €10 million – whichever is greater.

In this instance, Royal & Sun Alliance Insurance got off rather lightly in terms of the financial penalty incurred. The reputational damage, however, will be significantly greater, with almost 60.000 customers dealing with the stress of their confidential information potentially being used in fraudulent activity.

For further information on the new Regulation and its application, the following publication is recommended:

EU GDPR – An Implementation and Compliance Guide

This clear and comprehensive guide provides detailed commentary on the GDPR, and practical implementation advice on the measures needed for your data protection and information security regimes.

Courtesy of IT Governance

Our valued clients include...
  • COMPLETE AND IRRECOVERABLE DATA DESTRUCTION
  • ON-SITE OR AT YOUR PREMISES IF REQUIRED
  • ENVIRONMENTAL RECYCLING - ZERO WASTE TO LANDFILL
  • ADISA ACCREDITED AND ENVIRONMENT AGENCY LICENCED
  • FULL ASSET ELECTRONIC AUDIT AND TRACKING
  • DATA PROTECTION ACT AND WEEE DIRECTIVE PAPERWORK SUPPLIED

To find out how BLACKMORE RICOTECH can manage your secure IT disposal, get in touch. Call 0800 880 3678 today

Stay Informed

If you would like to be kept up to date with changes to Data Protection or WEEE legislation, together with other important information that could affect your business, why not subscribe to our newsletter service? Rest assured, we will not share your information with anyone else and you can unsubscribe at any time. To stay informed, simply enter your email address and click the SUBSCRIBE button.

Footer logos