Data Bytes January 2023

We look at International Data Protection Day and the impact of Data fines
January 26 2023

International Data Protection Day

It is international data protection day on January 28th! For Data Protection professionals it is an opportunity to raise awareness for our passion topic, but how did it start?

European Data Protection Day was initiated by the European Council in 2007, with the date being the anniversary of The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data being opened for signature by the Council on 28 January 1981. A resolution was then passed in the US in 2009, to declare January 28th National Data Privacy Day and now, International Data Protection Day is observed in the US, Canada, Nigeria, Israel, the UK and 46 European countries.

It originally started as a business-oriented day, to raise awareness within organisations and their workforce, but the educational focus has shifted over the years to include all consumers, including family and household related data protection concerns.

If you have a vested interest in improving awareness of data protection in your business, you can use January 28th as being a trigger event to:

  • Organise communications campaigns, including games or quizzes about topics such as data subject rights and data breach reporting.
  • Encourage data handlers around your business to complete an annual purge of files, emails and other data that have reach your corporate retention rules.
  • Launch an information security e-learning package or phishing training campaign.

Even if your organisation is not doing anything special for the event, just take a moment to refresh your memory on your organisation’s data protection policy and privacy notices, to keep them front of mind for another year.

2022 Data Protection Stats Roundup

In 2022 the ICO issued 34 fines with the collective value of £15.9m, which makes it the second highest years of ICO fines in history – second only to the large Marriot and British Airways fines of 2020.

The largest of these fines were:

  • Clearview AI in May – £7.5m
  • Interserve in October – £4.4m
  • Easylife Ltd in October – £1.35m

This continuing upward trend of fines in the UK is echoed across the other European data protection agencies:

  • Fine to Meta Platforms from the Data Protection Authority of Ireland in May – €405m
  • Fine to Meta Platforms from the Data Protection Authority of Ireland in November – €265m
  • Fine to Clearview AI from the French Data Protection Authority in October – €20m
  • Fine to Clearview AI from the Italian Data Protection Authority in October – €20m

The fines above highlight the compound risks to non-compliant global companies, with multiple data protection authorities in Europe taking action against the same company on behalf of their citizens.

Interserve Fine – Summary

We have covered Clearview and Easylife in previous articles, so let’s take a closer look this time, at the Interserve fine issued by the ICO.

Interserve were subject to a hack which compromised data concerning 113,000 current and past employees and included both personal and special category data. The ICO deemed Interserve to have “failed to process personal data in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures”.

The breach happened in April 2020 when an employee received a phishing email which was not detected by Interserve’s systems. The employee downloaded its malware content, which was detected and quarantined, but Interserve failed to pick up on the fact that the hacker still had access to their system after this point. 2 days later the hacker had compromised a server and a month later, they compromised hundreds of other systems and accounts (including admin accounts) which enabled them to uninstall the anti-virus solution and encrypt many systems including 4 HR systems.

At this point, Interserve became aware that they had been subject to a ransomware hack and notified the relevant authorities.

In the following investigation, it was found that some of Interserve operating systems were old and unsupported, which contradicted their own technology and patch management policy. And the end point protection controls (anti-virus, firewall configuration and other controls) were poorly executed, contrary to Interserve’s own infrastructure and network management standards. And finally, one of the two employees who had handled the original phishing email had never received any data protection training, despite their Security Training Policy which stated otherwise.

Companies who have stringent policies but fail to comply with them, tend to receive even heftier fines from the ICO, because they have crystalised in writing exactly what they should be doing but are then found negligent by failing to execute on those standards.

It is worth reviewing your own security policies, to ensure they are robust and that you can evidence compliance with all of the policy statements and controls. This will result in a higher level of protection, reduce risk and ensure that you are not found negligent of your own policies, should anything bad happen.