Data Protection Fee – Should you have paid ?
The ICO appears to have launched into a postal campaign, targeting businesses who so far have not paid a Data Protection Fee. This follows action taken in late 2018, which saw some businesses receiving fines of up to £4,000 for non payment.
Businesses receiving letters may not necessarily need to pay the fee, but do need to ensure that they check this using the ‘quick self-assessment’ tool on the ICO website. https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/
For most organisations the need to pay a fee will be dependent on their activities as a Data Controller. Those operating CCTV at a business premises will be in scope for payment, which will see many businesses meeting the criteria and having to register. Registration is online with the ICO is pretty straight forward & quick.
PHISHING – The most likely threat you’ll face !
Phishing is widely acknowledged as the most likely form of Cyber threat that you’ll business will face. Statistics published by many leading agencies claim the use of Phishing by Cyber criminals as three times higher than other forms of attack. The UK reportedly is up to 20% more prone to Phishing than other EU countries and it accounts for 32% of data breaches.
This shouldn’t come as a surprise in reality, the ease of which data systems can be accessed, hijacked or disrupted, is achieved relatively easily; if staff can be fooled into responding to these malicious E mails. The technique is also successfully used by criminals to fraudulently acquire goods or cash.
Staff awareness is therefore key to avoiding the potential impacts of staff not recognising Phishing mail and ensuring they react positively when they do detect them.
Testing staff routinely, with a simulated Phishing attack is an effective way of raising and maintaining awareness, checking mail filter capabilities and internal response procedures.
Businesses also need to equally be aware of the growing trend for criminals to use similar tactics by text messaging (Smishing !), with business mobile numbers being as easy to find as staff E mail addresses.
Aversus can provide simulated Phishing tests tailored to your requirements and subsequent support with training. Enquiries: firstname.lastname@example.org
Latest ICO Enforcement
February was relatively quiet in respect to headline fines seen in previous months.
CRDNN Ltd based in Clydesbank were fined £500,000 for breaches of the Privacy and Electronic Communications Regulations (PECR). The business was found to have been making up to 1.6 million automated cold calls per day, without consent. The ICO noted that the calls were made from spoof numbers which masked their identity and a clear disregard for the law was evident.
The PECR regulations are currently in progress of being amended to further bring them inline with GDPR and changes may see a penalty regime more aligned to the increased penalties introduced under GDPR.
Similarly, DSG Retail Ltd (t/a Dixons Carphone & Curry’s PC World) were also hit with a fine for £500,000, following a Cyber breach of ‘Point of Sales’ computer systems in Dixons Travel and Curry’s PC world outlets. The Cyber attack loaded malware into 5,390 tills across the business and resulted in data from 5.6 million payment card transactions being stolen; which impacted 14 million people. The breach took place pre-GDPR implementation and therefore the level of fine was the maximum under the previous regime.
It is important to note with this case the list of poor security measures listed by the ICO, which included: Inadequate software patching, absence of local firewalls, no network segregation and lack of routine security testing.
There are lessons to be learn’t !!
Please get in touch with us, if you need support with any of the topics covered above:
Thank you for reading !