In a recent post my colleagues Paul Glass and Ben Slinn take a look at the ICO's latest enforcement decision which focused on cyber security issues. The ICO has issued a monetary penalty of £1.25 million on Ticketmaster in connection with an incident which occurred back in 2018. In the ICO’s view there was a failure to process personal data in a manner that ensured appropriate security, as required under Articles 5(1)(f) and Articles 32 of the GDPR.
This penalty notice highlights the ICO’s expectations in relation to controllers assessing the appropriate security measures to protect personal data. In particular, the ICO focuses on failure to address known security vulnerabilities or issues, or to comply with third party security guidance. The ICO expects controllers to proactively stay up to date with the potential security vulnerabilities or issues with the systems or tools they are using, and to take steps to address any such issues.