Details have recently been revealed about two security flaws – Meltdown and Spectre – which affect nearly all modern computers and could make them vulnerable to attacks, allowing the extraction of information from memory locations that should be inaccessible and secure.
The ICO has published a comment highlighting the implications for data controllers, who should assess the vulnerabilities of their systems and apply the patches as soon as possible. The failure to adopt security measures relating to known vulnerabilities is a factor that may be taken into account for the purposes of compliance with the GDPR, especially when the measures should and could have been adopted previously. Also, organizations using cloud providers should obtain assurances from the provider that the vulnerabilities have been patched.
Finally, the ICO underlines the need to have an effective layered security system in order to comply with the privacy by design principle and mitigate any attack.