The ICO is clamping down on data thefts

Criminal proceedings against eight individuals over the alleged unlawful accessing and obtaining of people’s personal information from vehicle repair garages to generate potential leads for personal injury claims have been commenced by the Information Commissioner’s Office (ICO).

The ICO’s involvement in criminal proceedings of this nature is not without precedent but is still relatively rare.

The ICO allege that the activity took place across the UK between 1 December 2014 and 30 November 2017, with the defendants allegedly having conspired together to access and obtain the personal data of hundreds of thousands of individuals without consent, to use this information to facilitate personal insurance claims.

Following a complex and wide-ranging criminal investigation by the ICO, these defendants will now face prosecution for conspiring to commit an offence under section 1 of the Computer Misuse Act 1990, relating to the alleged unlawful accessing of personal data held on computers, and conspiring to commit an offence under section 55 of the Data Protection Act 1998 (Due to the offences pre-dating the implementation of the current Data Protection Act in May 2018, the relevant legislation is the Data Protection Act 1998.), relating to the alleged unlawful obtaining of personal data.

Notably, the first similar case prosecuted by the ICO was back in 2018 and was also linked to vehicle repair companies. In that case, an individual working for Nationwide Accident Repair Services (NARS) is said to have used his colleague’s login details to access thousands of customer records without permission. The individual in this case was found to have had benefitted financially from his illegal activity, and after criminal proceedings, was ordered to pay £25,500 in a confiscation order.

The ICO encourages companies to revisit their cyber security controls to ensure they are properly secured and protected against potential data thieves as cyber-attacks continue to rise. Personal data obtained in this way can be a valuable commodity and selling it may seem to malicious individuals like an easy way to make money. Severe penalties are expected to be issued so that the outcome of this case serves as a deterrent to others wishing to benefit from data theft.

Data Protection – How can Complyport Help?

Our experienced Cyber Security and Data Protection team led by Martin Schofield—one of the world’s leading specialists in the field—brings a wealth of experience to every project we are engaged in. Compylyport can not only provide advice, guidance and support on cybersecurity and data protection but we can also provide a Data Protection Officer Support as a Service.

DPO Support As a Service

Our Data Protection Officer/Support service team, provided by an experienced and multiskilled personnel including a Certified Data Protection Officer and Industry Practitioners, are at your disposal when you are looking to address data protection risks and enhance your privacy mechanisms and internal framework. Our service entails assisting you to understand and work within the legislative complexities, which govern the processing of personal data, and at the same time consider your business needs with respect to Information Systems, data security and organizational processes across the full scale of your operations.

Our multi-faceted Data Protection Services are provided through our multiskilled team of legal, security and operational experts when you are looking to:

  • Implement essential elements of UK Data Protection Act 2018 (DPA) and the General Data Protection Regulation of the European Union EU2016/679 (GDPR), such as the principles of data processing, data subjects’ rights, data protection by design and by default, records of processing activities, security of processing, and notification and communication of data breaches.
  • Foster a data protection culture within your organisation and with your external stakeholders
  • Carry out DPIAs where needed and suggest the appropriate technical and organisational measures) to mitigate the identified risks
  • Support the management of Data Breaches with respect to response, notifications, communications, and advice on corrective actions necessary to prevent losses, regulatory complications and reputation impact.
  • Where necessary, provide a contact point for the Information Commissioner’s Office (ICO)
  • Provide solutions/answers to those data protection questions that puzzle your staff and help with decision making when a data protection issue arise in the context of your daily business.

If this article has raised any questions, or you think your firm may require assistance, please contact either Martin Schofield via martin.schofield@complyport.co.uk or Jonathan Greenstein via jonathan.greenstein@complyport.com to book in a free consultation.

About Complyport

Complyport is the City’s market leading consulting firm supporting the UK financial services industry for over 20 years. We specialise in providing Governance, Risk and Compliance services to support the regulated financial services industry to raise standards and thrive.

Complyport advises and assists firms to become authorised and to comply with the rules and requirements of regulators on an ongoing basis. Our vision is to be there for our clients every step of the way, helping them change, grow, and excel through expertise, insight, and innovation, and in so doing to become our clients’ most valued supplier and trusted advisor.

We have successfully assisted over 1000 firms to become authorised with the FCA and EU and are providing regulatory support to over 600 regulated firms on an ongoing basis globally. With presence in the UK and EU, as well as via our Associates Network, Complyport can assist firms across multiple jurisdictions.

Complyport’s multidisciplinary consultants possess deep expertise in their field, having acted in FCA skilled person reviews, as expert witnesses in legal cases and as expert investigators for firms or their legal advisers.

Day to day, we conduct audits and reviews of a firm’s products, processes, policies, and procedures to identify scope for business, to determine the impact of regulatory developments and to verify compliance with local regulations. Our clients tell us we live our values; we are driven, agile and collaborative.