ICO hits electronics retailer with maximum pre-GDPR fine

Daniel Cooper is quoted in Global Data Review regarding the UK ICO’s decision to fine DSG Retail £500,000 under pre-GDPR data protection law. The fine stems from the company being compromised by a cyberattack affecting at least 14 million people.

Mr. Cooper says, “the ICO's imposition of a maximum fine appears due, in part, to the fact that it felt DSG should have learned its lesson from the Carphone Warehouse incident, but apparently did not. One further, interesting aspect to the case is that the ICO clearly did not like DSG's argument that certain aspects of the compromised data – customer primary account numbers and expiry dates associated with their payment cards – was not personal data. The ICO give this claim … very short shrift and it may have contributed to the ICO's generally dim view of DSG's practices.” He adds, “DSG may have been better served by not making such an argument, which the ICO were never likely to accept even at the best of times.”