A shot across the bows for undocumented data protection

This article was co-authored by Joshua Curzon, Trainee Solicitor, London.

The Information Commissioner’s Office (ICO), the UK’s data regulator, recently issued a formal reprimand to a UK company which had fallen victim to a cyber incident. Brand New Tube (the company) suffered a data breach when an unauthorised third party gained access to its systems and exfiltrated the names, email addresses, and passwords of 345,000 website users.

Why did the ICO issue a reprimand?

The ICO’s decision to issue a reprimand rested on two fundamental issues:

1. Failure to evidence penetration testing and vulnerability scanning

The UK GDPR requires organisations to implement appropriate technical measures to protect personal data. Penetration testing (simulating an attack on systems) and vulnerability scanning (automatically scanning systems for known issues) are technical security measures recommended by the National Cyber Security Centre. Recent ICO enforcement notices have made it clear that the ICO expects organisations to implement penetration testing and vulnerability scanning as standard.

The company represented that a third party was responsible for performing these tasks, but was unable to evidence when the scans were last performed, or what methodology was used. This led to the second fundamental issue.

2. Failure to evidence organisational measures and controls

The UK GDPR requires organisations to implement appropriate organisational measures to protect personal data. Organisational measures are broad and can take many forms, but at a basic level include contracts and documented processes. Although the ICO’s reprimand does not address this, the UK GDPR also imposes a requirement to implement specific contractual terminology with data processors.

The company was unable to evidence that technical security measures were in place at the time of the incident. The ICO states that the company relied on assurances without proof of contracts or oversight.

What does this mean for organisations?

This is the latest example of the ICO taking a step back from the technical detail of a cyber incident to look at “big picture” compliance.

The ICO continues to make clear its expectation that organisations properly protect personal data and that they will be able to evidence this. Organisations which fall victim to cyber incidents will continue to face scrutiny over whether they took appropriate steps to protect personal data.

The ICO made recommendations to the company, which all organisations should implement as a matter of course:

  • Contracts addressing data protection with all third parties processing personal data.
  • Records of processing activities and the security measures in place to protect personal data.
  • Regular penetration testing and scanning of systems processing personal data, and records of outcomes and steps taken in remediation.


A reprimand is one of several enforcement options available to the ICO, including the ability to impose a fine. Organisations should be aware that even if the ICO decides against issuing a fine, a reprimand may bring adverse publicity, reputational harm, and ultimately financial loss.

This once again reinforces the need for all organisations to take an ongoing and proactive approach to their data protection obligations. Kennedys regularly advises organisations looking to strengthen their regulatory position and provide assurance for stakeholders.

Related items:

Related content