Report on Supply Chain Compliance 3, no. 4 (February 20, 2020)
The Information Commissioner’s Office fined DSG Retail Limited (DSG) 500,00 British pounds after an investigation discovered a data breach involving the personal data of approximately 14 million people. Hackers installed malware on 5,390 tills on DSG-run e-commerce platforms, allowing them to siphon the data from July 2017 to April 2018.[1]
The fine was levied under the Data Protection Act of 1998, the predecessor to the Data Protection Act of 2018,[2] which was passed to bring the United Kingdom’s data protection regulatory framework in line with the GDPR.[3] The GDPR and the new Data Protection Act went into force in May 2018; DSG avoided a much larger fine under the GDPR because the breach took place and was reported before the GDPR became law.
An advisory note[4] from Cordery Compliance discussing the breach contains several important takeaways, including the fact that anonymized data and pseudonymized data are very different things and that more organizations need to properly anonymize data. Effectively anonymized data can protect against the worst effects of a data breach and also provide regulators with the assurance that an organization is doing its best to manage sensitive data, which may allow for a lower fine if and when a data breach does occur.