Yes, an apology is sufficient based on my understanding of the incident.
Of course it should not have happened and I'm sure people would have been surprised / disappointed but realistically it was not a single large breach (like MGM, Marriot etc.) whereby everyone's data was contained in a data set which will likely end up on the dark web to be used by nefarious persons unknown. It was instead 2,100 single incidents whereby 1 person received another person's data which in my mind reduces the associated risk to that of simply conjecture. If I had been involved then I would have said to explain / apologise to all those affected (as they already know) and to refer to the ICO not because of the data itself but due to the sheer number of people affected. I'm guessing this was all caused due to someone incorrectly placing the letters into the wrong order for the sorting machine which likely sealed the envelopes at the same time so no checks would have been made which is likely a lesson learnt for next time.
From a regulatory perspective I'd suggest the ICO won't do very much other than repeat guidance re checking, auditing etc. and perhaps ridelondon could look into conducting the ballot digitally (following the completion of a suitable DPIA of course).
Kind regards
Robert J Scott
Data Protection Officer
Imperial College London
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Roland Perry
Sent: 20 February 2020 12:06
To: [log in to unmask]
Subject: Re: [data-protection] RideLondon
In message
<[log in to unmask]
ok.com>, at 09:15:14 on Wed, 12 Feb 2020, Ibrahim Hasan <[log in to unmask]> writes
>RideLondon organisers apologise after data breach
>
>https://www.bbc.co.uk/news/uk-england-london-51456778
Is an apology sufficient?
For GDPR, not "fewer-than/less-than" grammar police.
--
Roland Perry
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|