DSG v Information Commissioner: Lessons for Data Controllers
The scope of discretion when implementing data security priorities. By Richard Jeens, Ross O’Mahony and Bryony Bacon of Slaughter and May.
In a world of headline-grabbing mega-fines against tech giants, it might seem that a £500,000 pre-GDPR fine would be of limited interest. However, a recent decision from the UK’s First Tier Tribunal (FTT) provides important and valuable lessons for any organisation dealing with large amounts of personal data (or, indeed, a Data Protection Authority). The lessons include the scope for judgement organisations are allowed to exercise in relation to the appropriateness of technical and organisational measures and how to respond when these are called into question by a regulator.
The case relates to a January 2020 penalty handed down by the Information Commissioner’s Office (ICO) to the retailer DSG Retail Limited (DSG) for data security failings under the Data Protection Act 1998 (DP Act 1998). The security failings were exposed by a sophisticated and extensive cyber-attack on DSG that occurred between July 2017 and April 2018. Cyber criminals initially targeted point-of-sale (POS) terminals (i.e. card machines) in DSG’s bricks-and-mortar retail stores in July 2017 and installed malicious software to scrape payment card details from the POS terminal’s memory. They also gained access to DSG’s wider IT systems, including marketing and antifraud databases, and accessed employee data, customer data and supplier information (including names and contact details). Some of the details remain unclear as the attackers covered their digital tracks, but DSG’s investigation indicated that they are likely to have extracted at least some data. During this time DSG were carrying out a major upgrade to their IT security.
UK Report subscribers, please login to access the full article
If you wish to subscribe, please see our subscription information.