GDPR Countdown: How Vulnerable are You?

21 February 2018

The Information Commissioner’s Office (“the ICO”) in the UK has warned that data breaches stemming from security flaws known prior to 25 May are subject to the GDPR’s hefty fines.

The pressure is therefore on to carry out vulnerability testing, patch your weak spots and implement safeguards. And there isn’t a ‘one size fits all’ solution to information security. What is required legally is to show that appropriate technical and organisational measures are in place – and this needs to be bespoke.

On 10th January 2018 the ICO fined Carphone Warehouse £400,000, down from £500,000 after negotiating a 20% discount for “early repayment”. Attackers were able to access their system via an out-of-date WordPress software. The ICO reported inadequacies in Carphone Warehouse’s technical security measures, including insufficient software patching, and failure to carry out routine security testing. These inadequacies meant that Carphone Warehouse failed to have appropriate security measures in place and a fine under the GDPR could have been as high as £17m or 4% of its annual global turnover – £10.58bn as of last year.

The message is clear: patch or be fined.

The scope of who is required to patch up their vulnerabilities now is broader than you may think. It’s anyone who has authority over how personal data is processed, e.g. third party providers using data processing algorithms on a vulnerable system. If you control how data is processed, know what you are processing and how – and conduct an audit of who you are engaging (and the sub-processors your processor is engaging). Do your due diligence on who else has control over personal data and if they have patched any vulnerabilities in their system.

But it’s not all about having sufficient software patching procedures in place. Over the weekend nearly 5,000 websites were breached, including many government websites such as the ICO, where hackers compromised a third party script to inject code that “mines” cryptocurrency. Even the ICO is vulnerable, and this is why cyber security needs a top-down holistic approach:   

  • Ensure you have a comprehensive asset management system and implement a robust asset patch management policy, including measures to ensure patches are being applied.
  • Carry out regular vulnerability testing – we recommend at least once a year or after any significant change.
  • All passwords should be securely stored and their access limited.
  • Implement technical security controls such Perimeter Firewalls, Web Application Firewalls and Data Loss Prevention technologies.

The ICO have confirmed that organisations should carry out vulnerability testing now. Decisions on patching or other safeguards must be tailored to your organisation. Data privacy and security cannot be an afterthought.

Interested in joining Schillings?

If you have expertise in law, intelligence, investigations, cyber security (digital forensics, penetration testing and incident response), risk consulting or advisory and would like to hear more about life at Schillings, please email Imogen Pickering.

Receive our monthly newsletter

About the Authors


+1 646 934 6219

Paul Price

Senior Associate, Cyber

Paul is a passionate and trusted cyber security professional specialising in advising some of the world's most influential people, protecting their businesses and reputations from the latest cyber threats.

+1 646 934 6219
Our 24 hour number
+1 646 934 6219
Legal information

© 2020 Schillings International LLP. SCHILLINGS is a trading name of Schillings International LLP and Schillings International (USA) LLP.

Schillings International LLP is a limited liability partnership registered in England and Wales with registration number OC398731. A list of members of Schillings International LLP is available for inspection at our registered office 12 Arthur Street, London, EC4R 9AB. Schillings International LLP is an Alternative Business Structure regulated and authorised by the Solicitors Regulation Authority.

Schillings International (USA) LLP is a registered limited liability partnership organised and existing under the laws of the State of Delaware, United States of America, whose principal place of business is at One World Trade Center, Suite 8500, New York, NY 10007. Our New York based attorneys are registered as a foreign legal consultant in the State of New York.