TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Europe Data Protection Digest | Tesco may have faced up to 1.9B GBP fine under GDPR for recent breach Related reading: Microsoft unveils open-source privacy mapping tool

rss_feed

Computing reports Tesco, the supermarket chain that owns Tesco Bank, could have faced fines of up to 1.9 billion GBP under the General Data Protection Regulation for the data breach it recently suffered. Tesco filed a turnover of 48.4 billion GBP at the end of September 2016. Since Tesco is classified as a data controller, it would have been forced to pay up to four percent of its turnover under the GDPR for suffering the breach. The new GDPR rules would have subjected Tesco to further class-action lawsuits for the breach in data privacy. “We're aware of this incident and are looking into the details. The law requires organisations to have appropriate measures in place to keep people's personal data secure. Where there's a suggestion that hasn't happened, the ICO can investigate, and enforce if necessary," a Tesco statement read. 
Full Story

6 Comments

If you want to comment on this post, you need to login.

  • comment Martin O'Dwyer • Nov 11, 2016
    In the absence of knowing all the relevant circumstances of this matter perhaps the article title should be changed from ' Tesco would have faced 1.9B GBP fine...'  to 'Tesco may have faced 1.9B fine...' given you have edited out the words 'up to' from the original article in Computing?
  • comment Jedidiah Bracy • Nov 11, 2016
    Thanks for the comment, Martin. We didn't edit "up to" out of the headline with any intent and did include it in the middle of the blurb: "...it would have been forced to pay up to.." But that said, I've updated the blurb to clarify the potential fine. Cheers, Jed
  • comment Duncan Smith • Nov 22, 2016
    Easy to work out the 4% figure, maybe we should be asking what mitigation is most effective at reducing this figure? How would ICO interpret 'proportionate' for example.
  • comment David Crompton • Dec 6, 2016
    Would Tesco PLC be implicated?  Or would the Data Controller, Tesco Personal Finance Plc, be the more likely target for the ICO?   It's revenue was around the £1 billion mark. = ~£4 million fine...
  • comment David Crompton • Dec 6, 2016
    *~£40 million
  • comment Jason Hunt • Dec 6, 2016
    Related to this is the issue of impact: I've raised questions on some forums asking if there is a definitive sliding scale for fines i.e. the Tesco breach is at the top end of the list in terms of size and impact - thereby attracting a maximum penalty. But what about smaller, less impactful breaches? They are breaches in the legal sense, but in this instance shouldn't attract the full 4% or $20M fine no? That being so, is this an agreed metric for assessing fines verses data breach impact?