Security Newsletter

In this edition we find why Magnacrest Ltd were charged by the ICO for failing to reply to a Subject Access Request, why your company needs to pay the Data Protection Fee if it is a data controller, ICO announce more Brexit-related data protection investigations, Microsoft announces the death of Internet Explorer and more…

Housing Developer Magnacrest Ltd Fined £1,500 For Failing To Reply To a Subject Access Request

The Information Commissioner’s Office (ICO) has successfully prosecuted one of the UK’s leading homebuilders, Magnacrest Ltd, after the company pleaded guilty to failing to provide a full subject access request from a member of the public regarding all personal data the company had in their records.

According to the ICO:

Magnacrest pleaded guilty to a charge of failing to comply with an enforcement notice when it appeared before Westminster Magistrates on 6 February 2019. The company was fined £300, with a £30 victim surcharge, and was ordered to pay £1,133.75 towards prosecution costs.

Mike Shaw, the ICO’s Criminal Enforcement Manager, said:

The right to access your own personal information is a fundamental and long-standing principle of data protection law. New laws brought into effect last May strengthen those rights even further.

Organisations not only have to respect this right but must also respect notices from the ICO enforcing the law. If they fail to do so then they must accept the consequences, which can include a criminal prosecution.

The failure to provide prompt responses to a subject access request (SAR) within 40 calendar days could land you in serious legal trouble. To find our more about SAR’s and how you can become more compliant with the law why not visit this useful ICO guidance on Subject Access Requests?

ICO Explains Why Businesses Need To Pay The Data Protection Fee

The ICO’s deputy head, Paul Arnold, has this month outlined why it is important for ‘data controllers’ to pay the data protection fee. For those unsure or even aware of the Data Protection Regulations 2018 Act and why the fee was created (it helps to fund the ICO’s regulatory and investigatory work) can refer to this useful Data Protection Fee guideline.

The ICO’s Paul Arnold stated:

It’s the law to pay the fee, which funds the ICO’s work, but it also makes good business sense. Because whether or not you’ve paid the fee could have an impact on your reputation.

When you’ve paid, your business is published on our register of data controllers. Members of the public and other companies check that list before they decide to do business.

We speak to thousands of people and organisations every week and it’s clear that being on the register tells others a lot about you.

It’s a strong message for your customers – it lets them know that you value and care about their information and that you’re more likely to keep it secure and not share it inappropriately.

It also lets other organisations know that you run a tight ship and that you’re aware of your data protection obligations. It indicates that you’re more likely to take your other data protection responsibilities seriously too. It’s a reassurance for those thinking of doing business with you.

For most organisations, the fee is either £40 or £60 a year depending on your turnover and how many people you employ.
If you’re not sure whether you need to pay, you can check here.

More “Brexit” Data Protection Investigations Announced by the ICO

The Information Commissioner’s Office has issued fines totalling £120,000 to the Leave.EU referendum group and Eldon Insurance – both headed by Aaron Banks, the millionaire businessman who donated £9M to the leave campaign (the biggest political donation in British political history).

The ICO published the following statement:

“The ICO announced an audit and issued a preliminary enforcement notice as well as three notices of intent to fine Leave.EU and Eldon Insurance trading as Go Skippy Insurance, in November 2018 as part of its investigation into data analytics for political purposes.

After considering the companies’ representations, the ICO has issued the fines, confirming a change to one amount, with the other two remaining unchanged. The regulator has also issued two assessment notices to Leave.EU and Eldon Insurance to inform both organisations that they will be audited.

The ICO investigation found that Leave.EU and Eldon Insurance were closely linked. Systems for segregating the personal data of insurance customers’ from that of political subscribers’ were ineffective.

This resulted in Leave.EU using Eldon Insurance customers’ details unlawfully to send almost 300,000 political marketing messages. Leave.EU has been fined £15,000 for this breach.”

Browser Patch Bonanza As All Major Browsers Announce Big Patch Updates

The last couple of weeks have seen major announcements from Google, Microsoft and Firefox relating to patch updates for their browser products. The major security patches illustrate the changing threat landscape faced by web users and the ever-changing threat dyanmics that browser developers need to remain focused upon.

Google unveiled 58 security fixes – including a rare critical vulnerability – which saw code execution threats connected to malicious websites raise the spectre of major Chrome web threats requiring swift patch updates. These threats centred upon SophosLabs’ recently discovered CVE 2018 18500 html5 parsing stream threats.

Mozilla, the developer behind Firefox and Thunderbird, released critical threat fixed patch updates for the same SophosLabs’ CVE threat. The update included a mix of critical and high importance updates for Firefox.

Microsoft has announced the death of Internet Explorer, with IE ending in 2020. The news will impact enterprise computing users – especially public sector bodies still attached to IE. However, IE has fallen by the wayside in the consumer market with Chrome dominating the browsing marketplace.

New Report Finds 54% Of Companies Investing In IT Security As A Response to GDPR Compliance Demands

According to over half of businesses expect to increase IT security expenditure during 2019 as a response to GDPR compliance with spending levels increased by nearly 20% in some cases. However, the irony is that many tech companies are now worried that companies are flooding the market with cash yet basic awareness and unpreparedness could result in companies not investing in the right data security solution for their own unique circumstances.

TechRepublic reports:

One in three companies said they don’t feel ready to combat a cybersecurity threat, the report found. This lack of preparation leaves businesses vulnerable to attack, leading many large enterprises to consider spending more on IT security measures this year.

The enterprise also remains fearful of possible data breaches amid new privacy regulations such as GDPR, the report found. Some 97% of IT professionals said they are afraid of an Internet of Things (IoT)-based cyberattack, yet only 29% said they are actively monitoring their systems, reported our sister site ZDNet. However, companies are turning that around in 2019, the report added.

If you would like to find out more about GDPR compliance and the right data security needs for your business why not visit the GDPR guidance website on the ICO website or visit the National Cyber Security Centre for more information on how you can protect your business from cyber threats.

Until next time …