Failing to patch vulnerabilities now will lead to punishment under the GDPR
The Information Commissioner’s Office (ICO) has warned that organisations could be punished for existing vulnerabilities when the EU General Data Protection Regulation (GDPR) is enforced.
Although the GDPR won’t take effect until 25 May 2018, organisations that fail to identify and patch vulnerabilities before this date face strict disciplinary measures. The ICO has said that fines will be a last resort, and the Regulation’s maximum penalty (€20 million (about £17.8 million) or 4% of annual global turnover – whichever is greater) will be reserved for only the most egregious violations, but any disciplinary action could be costly.
Any non-compliant organisation faces enforcement actions, including an investigation into their practices and a mandate to address any processes that fall short of the GDPR’s requirements.
Nigel Houlden, head of technology policy at the ICO, said: “There may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.”
He added: “We therefore strongly recommend that organisations determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency. Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty.”
Call Solutions4IT and their Cyber Secure UK team to help you…. 0121 289 4477