Recently, a Birmingham-based software provider has reached a settlement with the UK’s data regulator, the Information Commissioner, over security failings which put the personal information of 79,404 at risk. The violations included failing to implement adequate security measures to protect personal data, failing to report data breaches and a lack of data protection impact assessments. These failings led to the software being attacked via ransomware in 2022 resulting in NHS delays and operational challenges; along with personal data, including health and other special category data, being exfiltrated.
The provider, who acts as a data processor to a wide range of data controllers across multiple sectors, including NHS and other healthcare providers, legal and education, were provisionally fined £6.09m. However, this recent settlement indicates an agreement by the provider to pay a fine of £3.07m without appealing.
Why is this important?
This is the first time that a monetary fine has been issued against a data processor in the UK; and it certainly will not be the last. This fine reflects several factors including the size of the provider (relatively small in comparison to big market players), seriousness of the infringement, the highly sensitive nature of the data held and the impact to data subjects.
What can organisations learn from this?
There are several learnings for organisations arising from this enforcement action, but two categories really stand out for us. These are:
Prevention is better than the cure
The case highlights the need for all organisations, regardless of data role, to proactively address security vulnerabilities to protect data subjects and ensure compliance with data protection regulations. We recommend:
- Regularly performing DPIAs and security audits to identify and mitigate potential risks associated with data processing activities. Software providers should have a scrutiny function built into every stage of system development and evolution while adopter organisations should use take active steps to scrutinises products prior to adoption. We often see adopters prioritising functionality overdue diligence; especially where the supplier is knowns to be widely adopted within a sector;
- Take a pro-active, inquisitive role in ensuring that all systems, especially those handling sensitive data, are equipped with up-to-date security measures. Don’t be afraid to ask the experts or seek a second opinion;
- When selecting software and services, prioritise security features and compliance with data protection regulations over other functionalities. This includes adopters of technology and developers of technology procuring component parts (such as open-source software); and
- Provide ongoing training and awareness programs for employees and officers of the organisation ensure they understand the importance of data protection and are equipped to handle potential threats.
Mitigation and cooperation
In this case, the provider took steps to mitigate the damage, including isolating affected systems, notifying customers, and working with the National Cyber Security Centre (NCSC) and NHS Digital. The provider also co-operated with the ICO’s investigation. Both their mitigation and co-operation had the effect of reducing the fine levied against them. We recommend:
- Having a well-defined incident response plan, which is understood by the workforce, in place to quickly address and mitigate the impact of data incidents;
- Maintain open communication with regulatory bodies like the ICO and NCSC to ensure compliance and receive guidance during incidents; and
- Notify affected parties promptly and provide clear guidance on steps they can take to protect themselves.
- Set out clear roles and responsibilities for data protection incidents within your organisation, including deputies.
To summarise, organisations of all sizes play a critical role in the security of personal data and while we cannot stop security threats from happening, we can be proactive in minimising exposure and damage. As we have seen, enforcement action is both financially and reputationally impactful. Taking ongoing, pro-active steps can not only serve to protect the wellbeing of the business, but the wider data chain and all data subjects embedded therein.