ICO Figures Show Retail Sector Consistently Fails to Protect Customer Data

Auriga Consulting Ltd (Auriga), the expert data, today revealed that more than 500 complaints and concerns were raised over potential data breaches in the retail sector over the course of the past year. Of these, 312 cases classified as generic breaches of which 156 were classed as breaches of the Data Protection Act (DPA) (from April 2014 – March 2015). According to a Freedom of Information Act (FOIA) request submitted to the Information Commissioner’s Office (ICO) in April, the top three causes of generic breaches were DPA compliance and a request for assessment from the ICO (136 cases), subject access (72 cases) and disclosure of data (33 cases).
The FOIA results indicate the retail sector is experiencing a consistent rate of data breach incidents which breach the DPA. The number of breaches occurring on a monthly basis, averaging 13, suggests the sector could be doing more to protect sensitive data. Ecommerce and mcommerce are both seeing retailers stretched thin and a lack of good data hygiene, such as the way data is created, stored, processed, shared and destroyed, is exacerbating the situation. In addition to improving data care, retailers also need to begin to take a more proactive stance in helping customers adopt good security practices.


The retail sector currently ranks as 15th in the Data Breach Trends analysis published by the ICO (as of 28 April 2015). However, this ranking is based solely upon the number of enforcement cases and does not reflect the number of incidents reported and investigated. To date, the ICO has sought to offer assistance to offenders, although it does hold the power to issue fines of up to £500,000. The retail sector has so far escaped any monetary fines, although the ICO did issue a warning to a shoe retailer for the breach of over a million customer records last May.
James Henry, Consulting Practice Manager, Auriga, believes the reason breaches continue to occur, with some of the biggest names in retail numbering among the offenders, is because there is still a disconnect between good security practice and the board: “The consistent number of DPA breaches indicate the message still isn’t getting through despite numerous high profile incidents over the past year. Retailers are not doing enough to protect the data entrusted to them by their customers. Data protection is an organisation wide legal obligation. Any compromise is likely to see an erosion of customer confidence and cause damage to the reputation of the company. So it’s vital the board gets involved and deals with the protection of sensitive data as a matter of urgency.”

Auriga suggests retailers look holistically at data protection across the enterprise and consider the following action plan:

·      Understand the data landscape – conduct an information audit to document and understand the types of information that is created, processed and stored. Each information asset should be reviewed to verify if it is personal data. Outline personal roles in the creation and processing of personal data. Are you the Data Controller or a Data Processor?

·      Conduct a PIA – the Data Controller responsible for personal should conduct a Privacy Impact Assessment (PIA) screening exercise. This will help determine if a PIA is necessary for the data identified. A PIA will provide the organisation with some assurance that it is conforming to the eight DPA principles. A PIA also provides a risk based approach to identifying and capturing potential privacy issues.

·      Test the system – A PIA is often based on paper, observation, stakeholder interviews and workshop tasks. It does not provide technical assurance that technical data privacy controls are actually in operation as per design and are working properly. Frequent well scoped internal IT vulnerability assessments and independent penetration tests can be used to provide this level of technical assurance. They can establish how difficult it is to extract sensitive customer data and test the ability of the business to respond to a breach. Can the Incident Response plan limit the impact of a breach?

·      Educate staff – Don’t just focus on IT. Educate staff on data protection best practices and look at the ease with which data breach incidents can be reported. Make the business and personal impact of a privacy breach real for them. Foster a culture of open disclosure so that staff do not fear repercussions for themselves or their associates.

·      Secure the supply chain – consider how personal data is secured not just within the organisation but by third party suppliers. Weak third party management is often cited as a primary cause of security incidents and privacy risk.

·      Avoid compliance complacency – Standards-based and regulatory compliance can only go so far. The retailer should seek to identify data privacy risks unique to the business and determine proportionate and effective methods to adequately address them.

Summary of FOIA findings
·      Over 500 complaints/concerns submitted to the ICO about the retail sector during the period March 2014 – March 2015
·      From April 2014 – March 2015, 312 were classed as generic breaches
·      From April 2014 – March 2015, 156 were classed as breaches of the DPA although no monetary fines were imposed
·      The top reasons cited were DPA compliance and a request for assessment from the ICO (136 cases), subject access (72 cases) and disclosure of data (33 cases)

·      Conclusion: Despite an initial reduction in April last year, the retail sector continues to consistently breach the DPA and needs to look more closely at how to effectively protect personal data.