Heathrow Airport has been fined £120,000 after an employee lost a memory stick containing sensitive personal data.
On 16 October 2017, the USB stick containing the sensitive personal information of up to 60 Heathrow security personnel and over 1,000 files, was found by a member the public. Some of the information contained names, dates of birth and passport numbers.
Alarmingly, the USB was not encrypted or password protected, despite containing sensitive personal information and information on the security and transport measures in place at the airport. Whilst a memory stick is an efficient way to store and transfer data, its physical size and data capacity means that it's more susceptible to being lost, misplaced or stolen.
Clearly the employee should have been more careful. However, the ICO has made it abundantly clear that data protection is a boardroom issue for companies.
The ICO's director of investigations, Steve Eckersley, has stated that: "Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them."
So what does this mean for businesses?
While £120,000 is a hefty fine, it was imposed under old data protection legislation as the breach occurred in October 2017. Under the new General Data Protection Regulation (GDPR) the maximum penalty could be up to 4% of the company's annual worldwide turnover or 20 million euros (whichever is the greater).
You can mitigate the risk of exposing personal data by taking some simple measures. For example:
Small steps such as these are vital for mitigating the risk of a data protection breach.
If you have any questions about compliance with data protection and privacy regulations, speak to our privacy team today on 029 2048 2288.
Here you will find all the latest news as it happens. If it’s news and it involves Acuity, one of our clients or our CSR activities this is the place to come.Back to news