The UK’s Data Protection Authority (ICO) last week fined Royal & Sun Alliance (RSA) – a leading UK insurance company – £150.000 (€170.000) for failing to keep customers’ information safe. The fine was issued following the theft from one of its offices of a hard drive device containing 60.000 customers’ names, addresses and bank account details, including account numbers and sort codes.
The ICO investigation found that RSA did not have adequate measures in place to protect the customer information. ICO’s head of enforcement said: “There are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of equipment. RSA did not do any of this and that’s why we’ve issued this fine.”
Data security plays a prominent role in the new General Data Protection Regulation (GDPR). Compared to current national data protection laws based on the 1995 Data Protection Directive, the GDPR imposes stricter obligations on organisations with regard to data security while simultaneously offering more guidance on appropriate security standards.
Under Article 32, EU organisations are required to “implement appropriate technical and organisational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.”
Unlike the Directive, however, the GDPR provides suggestions for what kinds of security actions might be considered “appropriate to the risk,” including:
In the event of a data security breach under the GDPR, organisations that fail to demonstrate appropriate technical and organisational compliance can expect fines of up to 2% of annual global turnover or €10 million – whichever is greater.
In this instance, Royal & Sun Alliance Insurance got off rather lightly in terms of the financial penalty incurred. The reputational damage, however, will be significantly greater, with almost 60.000 customers dealing with the stress of their confidential information potentially being used in fraudulent activity.
For further information on the new Regulation and its application, the following publication is recommended:
This clear and comprehensive guide provides detailed commentary on the GDPR, and practical implementation advice on the measures needed for your data protection and information security regimes.
Courtesy of IT Governance
To find out how BLACKMORE RICOTECH can manage your secure IT disposal, get in touch. Call 0800 880 3678 today
If you would like to be kept up to date with changes to Data Protection or WEEE legislation, together with other important information that could affect your business, why not subscribe to our newsletter service? Rest assured, we will not share your information with anyone else and you can unsubscribe at any time. To stay informed, simply enter your email address and click the SUBSCRIBE button.