Data breach puts GDPR back in the headlines

No-one wanted to be the first to be associated with post- GDPR data breaches, but it is looking as though Dixons Carphone Plc might be in that position, as it revealed on Wednesday that it had been the victim of a massive data breach over the last year.

Attempts were made by hackers to compromise 1.2 million personal data records of its customers, and 5.9 million customer bank cards. The company has said that there is no evidence of any fraud as a result of the incident, and that extra security measures have since been put in place.

The data breach is said to have been uncovered last week when the company undertook a review of its systems and data, with the breach reportedly occurring in July last year, before the introduction of the GDPR.

The matter has been passed to the Information Commissioner’s Office, and an investigation is underway, which will determine whether the incident will be dealt with under the 1998 or 2018 Data Protection Acts.

The ICO’s investigation will be keenly watched by companies, to see how this first major data breach since the introduction of GDPR will be handled, and what level of fine will be imposed.

Under the GDPR, companies face much stricter obligations to report data breaches and face much tougher fines as a result. Companies can be fined up to €20 million or 4% of annual global turnover (whatever is greater) if they fail to protect their data. In Dixons case, some media channels are reporting that this could potentially lead to a fine of £400milllion for the company.

Whatever the sanction imposed, this case is a timely reminder of the importance for companies to take every effort to protect the data they hold and ensure they are compliant and up to date with the requirements of GDPR.

Do not hesitate to get in touch with our Employment Team for guidance and advice in relation to GDPR and how the new regime will impact your business.

This content is correct at time of publication