The Data Protection Commission (“DPC”) recently published guidance for data controllers and processors outlining appropriate security measures to be implemented in relation to data subjects’ personal data.
The guidance comes just weeks after the Information Commissioner’s Office in the UK (“ICO”) issued its first fine under the GDPR due to a data controller’s failure to ensure the security of its customers’ personal data. In that case, Doorstep Dispensaree Limited, a London-based pharmacy, was fined £275,000 following the discovery of approximately 500,000 documents in unlocked containers at the back of its premises. The containers contained a substantial amount of personal data which included the names, addresses, medical information and prescriptions of the company’s customers. Some of the documents had sustained significant water damage, indicating that they had been stored in this manner for some time.
The ICO outlined that it was fining Doorstep Dispensaree for failing to implement the appropriate organisational measures to ensure the appropriate security of the personal data and for processing the data in an insecure manner. Furthermore, the ICO added that the company had also failed to publish and distribute to its customers a privacy notice containing the required information under data protection legislation, in a separate breach of the GDPR. The ICO was clear that this was an “extremely serious” breach and it is undoubtedly just the beginning, as industry professionals expect to see both the ICO and the DPC handing out further fines for breaches of the GDPR in the coming months.
Neither the Data Protection Act 2018 nor the GDPR detail specific security measures that a data controller or processor must have in place, rather, the legislation places an obligation on controllers and processors to implement data protection “by design and default” and to implement appropriate technological and organisational measures to ensure a level of security appropriate to the risk. Appropriate measures may include the pseudonymisation and encryption of personal data and/or a process for regularly testing and evaluating the data security organisational measures in place in the organisation.
The DPC’s “Guidance for Controllers on Data Security” provides a practical summary which covers a number of topics including data collection and retention policies, access controls, encryption and incident response plans. The DPC’s guidance note indicates that a data controller should always be aware of the personal data it holds and how it flows through the organisation. Access to personal data should be limited by the data controller on a “need to know basis” and those who do have access to personal data should have a unique identifier, such as a password. Retention policies, anti-virus software and logs and audit trails are all mechanisms which the DPC recommends in order to ensure appropriate data security.
The Doorstep Dispensaree case should serve as a salutary lesson to all data controllers and processors to ensure appropriate technological and organisational measures are in place in their organisation to ensure the security of personal data. To date, the DPC has not issued any fines under the GDPR. However, the Data Protection Commissioner, Helen Dixon, has indicated publically on a number of occasions, that the issuance of such fines by her office are an “inevitability”.