1. Skip to Content
  2. Skip to Navigation
Toggle Menu


More news

Record Fine for Data Protection Breach

24 Jan 2017

The Information Commissioner, Elizabeth Denham, has set a strong precedent by imposing a record £400,000 financial penalty on TalkTalk Telecom Group plc for inadequate data security structures. The decision represents a hard-line approach towards breaches of the principles of data protection. Undoubtedly, the intention of the Information Commissioner’s Office (ICO) was to send out a message to business owners everywhere that they need to engage seriously with the responsibilities prescribed by data security legislation.

The Facts

Between 15 and 21 October 2015 a teenage hacker single-handedly accessed the personal data of 156,959 TalkTalk customers. This data largely consisted of names, addresses, and phone numbers. However, one of the driving forces behind the severity of the fine was that 15,656 customers had their bank account details and sort codes stolen.

The timeline of events goes back to 2009 when TalkTalk acquired Tiscali’s UK operations, which included internet pages found to still be accessible in 2015. This stagnant data was left in cyber space by TalkTalk and allowed the hacker to infiltrate the customer database and extract the personal data of thousands of individuals.

The Decision

TalkTalk was found to have breached two data protection principles. The fifth principle, which disallows companies from holding data for longer than is necessary for its purposes, is a relatively clear rule that was blatantly breached by TalkTalk. The seventh principle, however, represents a greater challenge for business owners. This principle imposes a duty on companies to ensure that appropriate technical and organisational safeguards are put in place, and maintained, with a view to avoiding data being lost, damaged or stolen.

The ICO distinguished the TalkTalk case, and in doing so justified the level of the fiscal penalty in the following ways:

  • TalkTalk had previously been victim to two cyber-attacks in July and September 2015;
  • TalkTalk had both the monetary and staffing resources to ensure appropriate measures were in place; and
  • The standard expected of security safeguards becomes higher when financial information is involved.

The ICO’s rationale, when deconstructed, can be applied to businesses of any operational size or nature. The key message is that reasonable steps must be taken, by every business owner, to prevent a data breach materialising. The standard expected must be contextualised by factors such as the resources of the business, any previous indicators of vulnerability to security breaches, and the type of the information at risk. In order to achieve the appropriate level of protection, every business owner should diligently consider their operations in the context of the data protection principles and have systems in place to ensure the existing safeguards are both present and sufficient.

Practical Guidance

When collecting personal data for the purposes of marketing, the following are key points for compliance:

  • A business can only collect information if it has a good reason for doing so, such as wanting to market new products to A client or customer;
  • If a business proposes to use personal data for marketing, it should issue a privacy notice, which explains to the individual who will be using their data and how;
  • If a business intends to collect data using its website, they should include a prominent privacy notice; and
  • A business should always take legal advice when planning to collect bank or credit card details.

When storing data, businesses should keep records of compliance to ensure they are prepared for an investigation by the ICO. These records should reflect an individual’s preferences regarding how they wish to be contacted and show when and how their consent was obtained. A business should ensure that people are able to “opt-out” of receiving marketing and keep a database of those who have opted out in the past.

Solicited Marketing

This is where an individual or company has requested marketing material and allows a business to send this information, even if the individual or company has previously opted out.

Unsolicited Marketing

Businesses can contact individuals or companies held on its database unless they have specified that they do not wish to receive direct marketing. It is important for businesses to maintain and check its opt-out list before sending marketing information.

Data protection is arguably one of the most significant challenges faced by businesses in modern times. However, it is traditionally viewed as falling exclusively within the remit of the IT department, as opposed to being a key issue around the boardroom table.

Whilst the minimum aim for all companies should be to comply with data protection principles, there is a reputational motivation for doing so. As a consequence of the 2015 cyber-attacks, TalkTalk reportedly lost 101,000 subscribers, together with £42 million. Whilst data protection compliance can appear to be a nuisance, a commitment to improving and maintaining existing safeguards can ensure the public and existing customers view a business as being synonymous with trust and security.

If you would like to discuss any of the points raised in this article, please contact Jonathan Waters

Call: 0191 232 8345

Email: Jonathan.Waters@hay-kilner.co.uk