UK Law and Practice Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP
• pseudonymisation and encryption of personal data; • the ability to ensure the ongoing confiden - tiality, integrity, availability and resilience of processing systems and services; • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of personal data processing. Importantly, according to the ICO, there is no “one size fits all” approach to “appropriate” security and recommends that – before taking a view on what is “appropriate” – organisations should assess the level of risk by reviewing the type of personal data held, whether it is sensitive or confidential, and the damage caused to data subjects if compromised (eg, identity fraud). In addition, when considering which cybersecu - rity measures to adopt, the ICO recommends that organisations consider: • system security – security of the organisa - tion’s network and information systems (par - ticularly systems that process personal data); • data security – security of the personal data held in the organisation’s systems (eg, ensur - ing appropriate access controls are in place within the organisation); • actively managing software vulnerabilities –including using in-support software and the application of software update policies (patching), as well as taking other mitigating steps where patches cannot be applied; • online security – website and mobile applica - tion security; and
• device security – considering information security policies for bring-your-own devices, where offered by the organisation. The UK GDPR and the DPA continue to be enforced by the ICO, including with regard to cybersecurity matters, but only to the extent that they impact personal data. The ICO is required to adhere to specific procedures before under - taking enforcement action – for example, before imposing an administrative fine on an organisa - tion for: • breaching the integrity and confidentiality principle; • inadequate security measures; or • failing to report a personal data breach to the ICO or affected data subjects. Where applicable, the ICO is required under Section 149 of the DPA to first issue the organi - sation with a written “enforcement notice”, which requires the organisation to take steps specified in the notice and/or refrain from taking steps specified in the notice. If the ICO is of the view that the organisation has failed to comply with the enforcement notice, the ICO will then issue a written notice (penalty notice) imposing a monetary penalty on the organisation of up to the greater of 4% of annual worldwide turno - ver or GBP17.5 million. When determining the monetary penalty amount, the ICO will consider a number of aggravating or mitigating factors. These factors include the nature, gravity and duration of the infringement – for example, per - sonal data breach or inadequate security meas - ures – and the intentional or negligent character of the infringement. In determining whether to undertake a criminal prosecution under the DPA, the ICO must refer - ence the Code for Crown Prosecutors and the
333 CHAMBERS.COM
Powered by FlippingBook