The Information Commissioner's Office (ICO) has said that data breaches that occur after GDPR takes effect which stem from security flaws that were known about prior to then will be enforced under the new data protection laws. Nigel Houlden, head of technology policy at the ICO, advised organisations to "determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency" in response to the risks. He warned of the potential regulatory consequences should they fail to do so. Mr Houlden said: “Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty.” Data protection law expert Rachel Forbes of Pinsent Masons said that the comments make it clear that the ICO will not take kindly to businesses "burying their head in the sand and overlooking weaknesses and vulnerabilities in systems". "Businesses should take action now to put themselves in a strong position for avoiding reportable security breaches once the GDPR comes into force," she said. Meanwhile, the ICO has published guidance and advice for small businesses preparing for the introduction of GDPR.
The watchdog has provided a guide to GDPR, checklists, FAQs and a graphic outlining ’12 steps to take now’. The ICO has also launched a new advice service helpline for small businesses and charities.