Already a customer?
Log a ticket

What Does The Carphone Warehouse Fine Mean For SMEs?

Share on facebook
Share on twitter
Share on linkedin
Share on google
Share on email

£400k and we haven’t even started GDPR yet

A few days ago, the Information Commissioner’s Office (ICO) slapped a meaty £400,000 fine on Carphone Warehouse for a data breach it suffered in 2015.

Due to the company’s out-of-date WordPress sites, hackers were able to steal personal data on more than three million customers and over 1,000 employees.

Under current rules, the fine is just shy of the maximum £500,000 it could have been fined. However, as some commentators have remarked, that could have been a much higher figure if General Data Protection Regulation (GDPR) were being enforced. Indeed, at a maximum of 4% of turnover, it could have been around £17 million.

The Carphone Warehouse Reality

Of course, that’s completely theoretical. Although GDPR allows for such massive fines, there’s no way of knowing whether the ICO would have hit Carphone Warehouse with the full weight of the law. Indeed, the fact it didn’t fine the company the full 500 grand it could have might suggest that it saw this as a decidedly 400k kind of offence.

That said, Information Commissioner Elizabeth Denham was fairly damning of Carphone Warehouse’s conduct:

“A company as large, well-resourced and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.

“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”

Clearly, then, Carphone Warehouse should have done better, and the potentially enormous fines of GDPR are meant to be a deterrent against such negligence – so maybe it really did get off lightly…

Judges gavel - Carphone Warehouse fine
If you take data protection seriously, that’s likely to be taken into account in the event of a breach

What Does This Mean For SMEs?

Whatever the case, it’s interesting that the ICO should bring up the size of the company. All businesses and organisations have a duty of care when it comes to data protection, but there’s no doubt big corporations with larger amounts of data are judged more harshly for their transgressions. The same logic will probably apply when GDPR comes into force on 25th May 2018.

These big money headlines draw in clicks for websites, and they act as a useful reminder to take data protection seriously. But owners of small- and medium-sized businesses shouldn’t be led to panic. If they have good cyber security solutions; make regular, encrypted backups of data; and treat personal data with the respect it deserves, they are unlikely to be hauled over the coals in the aftermath of a data breach. Plus the standards expected of them will pale in comparison with what big businesses like Carphone Warehouse will have to achieve in this area.

Maybe the most important lesson of all is that it’s important to maintain a sense of perspective when looking at these fines.

Leave a Comment

Your email address will not be published. Required fields are marked *


TMB Privacy Policy

Why do we hold personal data?

Like any business, TMB Group has to keep personal data about staff, clients and potential customers. When you fill in the contact form on our website, for example, we need to keep a record so we can get back to you. Data is also held so we can deliver our services and so we can provide useful information, such as security update news.

What data do we keep?
Depending on our relationship with you, we’ll hold information such as your first and last names, your email address, your phone number and your postal address. We will also possibly have details about your business and those who work for you. If you’re a customer, then we may have some of your banking detail so we’re able to accept payments for the services we provide.

How is your data stored?

As a responsible IT company, TMB stores personal data on secured computer systems. Anything that is archived will be placed on encrypted drives.

We do use third-party customer management software, Autotask, which means data may be stored on their servers, but only the data we need to deliver our services. The same goes for the Microsoft services we use, such as Word, Excel and PowerPoint, which store information on Microsoft’s cloud servers. We also use Mailchimp for marketing purposes: to send emails and to manage subscriber lists.

These third parties are not permitted to share your data or to use it for marketing purposes. You can find Autotask’s privacy policy here: Microsoft’s privacy policy for Office 365 is here: Mailchimp’s policy is here:

How long do we keep your data?

We will keep your data in our systems until it is no longer relevant to our business, but you can request that we remove or update it at any time. We will also inform any relevant third parties of your request.

Access to your information

The key thing to remember is that your data belongs to you. That means you can request copies of your personal data any time you like, or to access and update it. You also have the right to be forgotten, so if you ask that we delete your data, we will do so or provide a valid reason why we are unable to. We will, of course, require proof of your identity before addressing any such request.

Depending on your request, your information may be provided to you electronically. In such cases, it will be provided in a commonly used format.

Unsubscribing and deletion

Unsubscribing is not the same as a request for us to delete personal data. If, for example, you unsubscribe from a mailing list, it is necessary to keep your email address on record to prevent marketing email from being sent to you. If we were to delete that information, we would have no way to tell if you have unsubscribed. Nevertheless, you still have the right to request erasure of your personal data.

Your right to complain

If, for any reason, you are unhappy with the way your personal data is treated by us, you have the right to complain to a supervisory authority. In the UK, that would be the Information Commissioner’s Office (ICO).

Website analytics

Anyone who visits our website will automatically have data about them collected via Google Analytics. This gives us broad information about what people are doing on our website and which pages they are looking at. It does not provide us with personal information that could be used to identify individuals.


Cookies are small text files that web browsers receive from websites. They are stored on your computer, and they enable sites to do things like remember if you’ve visited before, if you’re a customer, what your preferences are and so on. You are entitled to view our website without them, but you may lose this kind of functionality if you do so.

International data transfers

Information that we collect may be stored and processed in and transferred between any of the countries in which we operate in order to enable us to use the information in accordance with this privacy policy.

Data controllers and processors

TMB is the controller for marketing activity and personal data/special category data we hold on our own employees, but we are the processor when processing our customers’ personal data (e.g. buying a licence for a named individual).  We  may use sub-processors for processing data given to us by customers.

What we won’t ever do is sell your data. And if you sign up to our mailing list, you’ll only receive marketing material from TMB as a result – no one else.

For any questions regarding your data, contact TMB’s technical director, Richard Shuker, at or write to us at A1 Endeavour Business Park, Penner Road, Havant, Hampshire, PO9 1QN..