GDPR Countdown: How Vulnerable are You?

21 February 2018

The Information Commissioner’s Office (“the ICO”) in the UK has warned that data breaches stemming from security flaws known prior to 25 May are subject to the GDPR’s hefty fines.

The pressure is therefore on to carry out vulnerability testing, patch your weak spots and implement safeguards. And there isn’t a ‘one size fits all’ solution to information security. What is required legally is to show that appropriate technical and organisational measures are in place – and this needs to be bespoke.

On 10th January 2018 the ICO fined Carphone Warehouse £400,000, down from £500,000 after negotiating a 20% discount for “early repayment”. Attackers were able to access their system via an out-of-date WordPress software. The ICO reported inadequacies in Carphone Warehouse’s technical security measures, including insufficient software patching, and failure to carry out routine security testing. These inadequacies meant that Carphone Warehouse failed to have appropriate security measures in place and a fine under the GDPR could have been as high as £17m or 4% of its annual global turnover – £10.58bn as of last year.

The message is clear: patch or be fined.

The scope of who is required to patch up their vulnerabilities now is broader than you may think. It’s anyone who has authority over how personal data is processed, e.g. third party providers using data processing algorithms on a vulnerable system. If you control how data is processed, know what you are processing and how – and conduct an audit of who you are engaging (and the sub-processors your processor is engaging). Do your due diligence on who else has control over personal data and if they have patched any vulnerabilities in their system.

But it’s not all about having sufficient software patching procedures in place. Over the weekend nearly 5,000 websites were breached, including many government websites such as the ICO, where hackers compromised a third party script to inject code that “mines” cryptocurrency. Even the ICO is vulnerable, and this is why cyber security needs a top-down holistic approach:   

  • Ensure you have a comprehensive asset management system and implement a robust asset patch management policy, including measures to ensure patches are being applied.
  • Carry out regular vulnerability testing – we recommend at least once a year or after any significant change.
  • All passwords should be securely stored and their access limited.
  • Implement technical security controls such Perimeter Firewalls, Web Application Firewalls and Data Loss Prevention technologies.

The ICO have confirmed that organisations should carry out vulnerability testing now. Decisions on patching or other safeguards must be tailored to your organisation. Data privacy and security cannot be an afterthought.

Interested in joining Schillings?

If you have expertise in law, intelligence, investigations, cyber security (digital forensics, penetration testing and incident response), risk consulting or advisory and would like to hear more about life at Schillings, please email Imogen Pickering.

About the Authors

Punam Mehta


​Punam’s experience of commercial litigation enables her to deal with complex and multi-jurisdictional disputes and investigations.

646 934 6219

Paul Price

Associate, Cyber

A creative software architect, Paul is responsible for developing cutting edge software to help clients better defend themselves from internal data loses and external hacking attacks.

646 934 6219