When Suppliers Use AI: Contractual and Data Risks for Businesses
How suppliers’ use of AI can create IP, data protection, and contractual risks, and how businesses can manage them.
Read More
While most companies focus on protecting the data of their clients and customers, GDPR and other data protection laws in the UK also apply to the protection of employee information.
30 November 2022
Insight
Retail and manufacturing company Interserve Limited has received a £4.4 million fine for failing to implement appropriate security measures to protect the data of its employees.
Under Article 5(1)(f) and Article 32 of the UK GDPR, organisations are required to implement appropriate technical and organisational measures (“OTMs”) to ensure the safety and security of personal data. These OTMs can include measures such as encrypting data, implementing training and processes and undertaking data protection impact assessments.
The ICOs investigation uncovered that Interserve did not have appropriate OTMs in place to prevent a cyber-attack, which led to a phishing email to allow hackers to access the personal data of up to 113,000 employees in May 2020. This data included information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.
Phishing emails contain links or attached files which, when clicked, will download viruses or other malware that can allow cyber-attackers to access the organisation’s entire network. These emails are often disguised to look as though they are from a known colleague, customer, or supplier.
The email was forwarded by an employee, and was not blocked by Interserve’s security systems, and the content was downloaded which installed malware onto the employee’s system. The ICO found that although Interserve’s anti-virus software detected the malware, the company did not thoroughly investigate the suspicious activity.
The above example serves as a stark reminder to organisations that the safety and security of data is of paramount importance, and that a lack of training and other measures, mixed with employee complacency can lead to significant fines from the ICO. John Edwards, the UK Information Commissioner as warned of ‘similar fines’ for organisations that do not properly train staff, update software, or fail to act on warnings.
The maximum fine under the UK GDPR is the higher of £17.5 million or 4% of the organisation’s total annual worldwide turnover, highlighting the potential significant impact of a failure to implement appropriate OTMs.
Contact Us
For advice on how your organisation can act to prevent data breaches and avoid ICO fines, contact our Commercial team on 01332 226 466 or fill in the form below.
Related Services
Knowledge
How suppliers’ use of AI can create IP, data protection, and contractual risks, and how businesses can manage them.
Read MoreDrop shipping is growing fast. Find out how the right contracts can protect your margins, brand and legal position.
Read MoreLearn about fiduciary duties, commission disclosure, and legal compliance after the Expert Tooling v Engie ruling.
Read MoreLearn how Rukhadze v Recovery Partners reinforces strict fiduciary duties and what it means for your business and governance.
Read MoreThe ICO and CMA's joint statement outlines new AI in finance regulations, focusing on data protection, competition, and consumer safeguards.
Read MoreA decade of progress – but the fight against modern slavery isn’t over, we highlight how businesses can meet stricter transparency rules.
Read MoreNavigate AI regulations in financial services. Key insights from the FCA & ICO on compliance, data protection, and innovation.
Read MoreExplore how to create an AI usage policy that mitigates risks and ensures responsible adoption for your business.
Read MoreEffective data safety and optimisation are key to business success, reducing risks and improving efficiency in a digital world.
Read MoreLandmark EU court ruling awards damages for unlawful data transfer. Learn what this means for GDPR compliance and safeguarding your business.
Read MoreProtect your SME from data breaches. Discover key tips for GDPR compliance and data security during Data Protection Week.
Read MoreBoost profitability with well-negotiated commercial contracts—learn essential terms to protect and grow your business.
Read MoreScroll to next section
Scroll back to the top
On Monday 29 September, Flint Bishop successfully completed the acquisition of the entire business of Lupton Fawcett LLP. You have been forwarded to the page most relevant to your visit.
Please feel free to explore our website and learn more about our legal services and professionals, including those who have recently joined us from Lupton Fawcett.