This month, the Commission has issued four Decisions and one Undertaking.

 

In the Decisions, financial penalties were issued to four organisations for breaching their data protection obligations. These included failing to implement adequate patch management processes, not conducting periodic security reviews, using outdated or unsupported software, and lacking basic accountability measures such as appointing a data protection officer or implementing internal data protection policies. The incidents affected a total of more than 1 million individuals, with personal data exposed through unauthorised access and data exfiltration.

 

In the Undertaking, the organisation experienced a ransomware attack due to vulnerabilities in its development environment and lack of proper network segmentation. The affected data included employee and customer personal information. The organisation has committed to implement stronger technical controls such as restricting admin privileges, isolating networks, and enhancing endpoint security.

 

Key Takeaways for Organisations

• Apply timely software and system updates
• Conduct regular vulnerability scans and security reviews
• Implement access controls based on least privilege
• Segregate development or high-risk environments from production systems
• Appoint a Data Protection Officer and maintain up-to-date internal policies

Access the Decisions and Undertaking respectively.