The Information Commissioner (the Commissioner) issues a reprimand to GRS (Roadstone) Limited in respect of infringements of Article 32 (1) (b) and Article 32 (1) (d) of the UK GDPR. The organisation did not have appropriate security measures in place, which resulted in an unauthorised Threat Actor being able to exfiltrate the individual personal data of current and former employees.