The Information Commissioner’s Office is still processing complaints arising under the Data Protection Act 1998 before the GDPR came into force on 25 May 2018. They have just imposed the maximum fine under that Act – £500,000 – on Equifax, the credit rating agency.
The ICO found that the UK branch of Equifax had failed to take appropriate steps to protect the personal data of UK citizens. Its systems were hit by a cyber-attack which exposed the personal data of some 700,000 UK citizens.
The data that was exposed included names, dates of birth, telephone numbers and, in some cases, driving licence numbers.
The ICO reports that the many failures found in this case included retaining personal information longer than necessary and leaving it vulnerable to attack. Equifax had previously been warned about a critical vulnerability in its systems but had not taken appropriate steps to fix it.
The fine is the maximum available under that Data Protection Act 1998 – the GDPR has introduced the possibility of much greater fines.
This is another reminder – if one were needed – that we must all take very seriously our compliance with the laws on data protection.
If you have questions, we can help. Please get in touch.