Earlier this month, the Information Commissioner’s Office (ICO) fined Carphone Warehouse £400,000 for inadequate data security measures. The ICO found that a cyber-attack has compromised the data of more than 18,000 customers – including names, phone numbers, and payment details. Susanne Matthissen, from our GDPR team, explains.

Staff only became aware of the attack – which originated in Vietnam – 15 days after it had started – and they didn’t even know that historic credit card data was held on their systems. 

With GDPR fast approaching, all organisations need to take note of Carphone Warehouse’s failure – and review their own cyber-security measures. For the majority of organisations, planning for GDPR will involve a transition process – and as part of that you’ll need to look at how adequate your existing cyber-security systems are to make sure that you’re compliant. Under GDPR, you’ll be held accountable if not. 

The size of Carphone Warehouse’s fine was largely down to their size and available resources. Not all businesses will face this kind of fine if they’re hacked, or face a cyber-attack. But, you should assess the level of risk that you organisation is facing, and take steps to reduce that risk accordingly. This will inevitably involve working closely with your IT services. 

GDPR transition planning also provides an opportunity to review what personal data your organisation holds, and delete anything that is out of date or no longer required – which will in turn reduce both risks and potential fines for a breach.

For more information on GDPR, and how you can prepare for the changing regulations, please take a look at how we can help.