The UK’s Data Protection Authority (ICO) last week fined Royal & Sun Alliance (RSA) – a leading UK insurance company – £150.000 (€170.000) for failing to keep customers’ information safe. The fine was issued following the theft from one of its offices of a hard drive device containing 60,000 customers’ names, addresses and bank account details, including account numbers and sort codes.
The ICO investigation found that RSA did not have adequate measures in place to protect the customer information. ICO’s head of enforcement said: “There are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of equipment. RSA did not do any of this and that’s why we’ve issued this fine.”
Data security plays a prominent role in the new General Data Protection Regulation (GDPR). Compared to current national data protection laws based on the 1995 Data Protection Directive, the GDPR imposes stricter obligations on organisations with regard to data security while simultaneously offering more guidance on appropriate security standards.
Under Article 32, EU organisations are required to “implement appropriate technical and organisational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.”
Unlike the Directive, however, the GDPR provides suggestions for what kinds of security actions might be considered “appropriate to the risk,” including:
- The pseudonymisation and encryption of personal data.
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In the event of a data security breach under the GDPR, organisations that fail to demonstrate appropriate technical and organisational compliance can expect fines of up to 2% of annual global turnover or €10 million – whichever is greater.
In this instance, Royal & Sun Alliance Insurance got off rather lightly in terms of the financial penalty incurred. The reputational damage, however, will be significantly greater, with almost 60.000 customers dealing with the stress of their confidential information potentially being used in fraudulent activity.
For further information on the new Regulation and its application, the following publication is recommended:
EU GDPR – An Implementation and Compliance Guide
This clear and comprehensive guide provides detailed commentary on the GDPR, and practical implementation advice on the measures needed for your data protection and information security regimes. Buy now >>