Have You Suffered A Data Breach? The Clock Is Ticking - You Need to Act Fast..
If there’s one thing that a business can expect – it’s when a data breach happens, not if…
Most businesses, at some point, will suffer a data breach. The nature and severity of this will depend upon the type of personal data the business processes, but also how well prepared you are to act upon breaches…. Please remember that the GDPR requires you BY LAW to investigate and act on a breach within 72 hours of it being discovered – which includes weekends and overnight.
If your business is unaware of this deadline, then our specialist privacy team can deliver training to ensure the appropriate people in your organisation are aware of their obligations – otherwise, it could be a very costly both in terms of regulatory action, but also civil action.. a double-edged sword.
As part of your preparations for GDPR, the business is required to establish a process for handling data breaches – your Incident & Breach Management Procedure. If you don’t have one, this should be an urgent task for completion and is something our consultants can provide guidance on. It will outline in detail your process for reacting to a data breach incident – and this process should be followed step-by-step.
If the ICO have to get involved with a breach as part of an investigation, this will be one of the first documents they will ask to see – under the accountability principle of the GDPR. If you’re not able to produce this, it will be a very difficult conversation.
What is a Personal Data Breach? A personal data breach is defined by the GDPR as: “a breach of security leading to the accidental or unlawful:
Destruction of personal data – the personal data has been destroyed. Can include by fire or other means. It is for this reason our specialists recommend fire-proof or similar appropriate storage units for important documents.
Loss of personal data – the personal data has been lost, whether this is stolen or misplaced having been left unsecured, or there has been IT systems failure or online hack. It is for this reason we urge security to be a key consideration when handling hard copies and this is emphasised during our training sessions.
If the loss is due to an online incident such as a hack or phishing attack, the affect can be devastating and affect not only your business, but any business you hold contact details for – especially if someone has opened a malicious link. In this case, you are working against the clock to minimise the effect on your business and specialist help from our privacy experts might be the only option.
Alteration of personal data – if the personal data you hold is altered in any way, whether accidentally, or by an unauthorised individual, then this is considered a data breach. It could be a member of staff (had they received training, they would hopefully know better), or somebody outside the business who has gained access, or acted as an imposter to change the details – which is why it is so important to verify the identity of an external individual when they contact you.
Unauthorised disclosure of, or access to personal data – it is for this reason it is so important to keep devices such as laptops, tablets of PC’s locked when the user is not present, as should anyone gain access to personal data they are not permitted or entitled to view, then this is a data breach.
Such is the ease of uploading data to social media networks or making unlawful transfers of files, unauthorised access can often lead to an individuals’ personal data being shared online – meaning you have lost all control over the processing of it – a serious failure of your obligations as a data controller and presenting you with the highly embarrassing task of contacting the affected individuals – and also reporting to the ICO.
Do I have to report all Data Breaches to the ICO?
No, but you must keep an internal log of every breach – irrespective of however minor you may consider them. This is called a Data Breach Log – and you may be asked for this in the event of a major breach and the Supervisory Authority getting involved. If your log shows there is a reoccurring pattern to the breaches you have suffered, this demonstrates you have not gained sufficient learning from these and improved your processes and procedures to prevent similar incidents in the future – something which may result in a fine or processing restriction being imposed.
Once you discover a data breach, you have a deadline of 72 hours to isolate the affected area, conduct your initial investigation and submit a report to the ICO, or log the details internally. This 72 hours includes weekends, so a breach at 16.30hrs on Friday has a deadline of 16.30hrs on Monday – and you will need every one of those 72 hours.
Failure to do this in the initial 72 hours is a breach of the legislation itself and the ICO will want a full explanation of the delay in reporting. European regulators recently imposed monetary penalties of €15,000 for breaching this deadline – a failure under Article 33 of the GDPR, so the ICO are likely to impose similar fines.
Specialist guidance from our privacy team could mean the deadline is met with some hours to spare – but that depends on the severity of the incident.
Based on this summary – how confident are you of being able to identify a data breach in your business and be sure you have acted accordingly? Our team are experienced in this – and will act fast to ensure your obligations are quickly covered off.
Minor Data Breach
If the data breach is unlikely to result in a high risk to the rights and freedoms of the individuals, then you are not obliged to report it to the ICO, or the affected individuals. A complete record of the incident and the learnings you take, and remediation measures you put in place must be made in your centralised Data Breach Log. If you are unsure of how your breach should be classified, then you need specialist guidance to ensure you reporting is appropriate.
Medium Data Breach
If the data breach affects a significant number of individuals, then the ICO should be notified by telephone and a report submitted online. They will ask you how it happened, the number of data subjects affected, types of personal data and what you are doing to address / remedy the incident. They may ask you to report back to them to update on your handling of the situation.
Severe Data Breach
This is where the rights and freedoms of individuals have been put at risk as a result of the data breach – irrespective of the number of people affected.
In this instance, you will need to:
Activate your Breach Management Plan and ensure a senior manager is overseeing the incident.
Identify and isolate the cause of data breach.
Identify the numbers of data subjects involved and the types of personal data involved
Identify what the potential impact on the data breach is – from the perspective of the data subjects.
Contact the ICO to formally report.
Devise a strategy for the affected data subjects to be contacted via an appropriate channel.
Devise a remediation strategy to ensure learnings are made from this incident and there is no repeat.
If the breach is due to a systematic failure on the side of the business, the ICO may decide to conduct an independent investigation. In this event, you can expect a monetary penalty, or other operational restrictions imposed.
It’s worth noting at this point, that companies who engage with Privacy Helper’s DPO Service – will receive on-going guidance from our team of experts in the event of a data breach, thus removing most of the stress from the initial stage. We are well-versed in handling data breaches. We will also act as the main point of contact when dealing with the ICO.
Fines
Under the previous Data Protection Act, 1998, the maximum fine that could be imposed was £500,000 – which was reserved for Facebook in October 2018.
Under the GDPR, huge fines can be levied
TIER 1 – Lower level fine: €10m / £7m, or 2% of group global turnover.
Processing failures include: failure to keep and maintain Records of Processing Activities (Article 30, GDPR), poor security around your processing activities, lack of data protection culture throughout the business and no data privacy impact assessments for new systems and processes.
TIER 2 – more severe processing failures: €20m / £17m, or 4% of group global turnover.
Processing failures include: failures around the basic principles of the GDPR, failures of the rights of the data subject, transfers of personal data to a recipient in a third country or an international organisation.
Fines to date
Many millions of euros of fines have been imposed by European data protection regulators so far, however none have come from the ICO.
The ICO have issued two “Intention to Fine” notices at British Airways and Marriot Hotels.
British Airways are facing a fine of £183 million, while Marriot Hotels face £99m.
Considering the largest fine from the previous Data Protection Act was £500,000 – this is a huge increase and demonstrates how seriously the regulators are taking data breaches that occur due to the failure of organisations to comply with the legislation - remember you are legally required to comply – it is not a choice.
No Win, No Fee…
The data protection authorities will also support individuals who wish to bring civil cases against companies who breach their data through bad or poor business practices. With the end of PPI, claims lawyers are targeting data subjects who have been affected by data breaches to sue organisations for a failure to adequately protect their personal data on a No Win, No Fee basis
So, not only do will you need legal representation for your ICO case, but you will also need representation to fight a civil case. How much will you need to set aside for legal fees?
Consider also the bad press – all cases the ICO bring are publicised, so your company name will be established with data protection failures. This may cause a desertion of clients, or a loss of new business…
Suddenly engaging with a data protection specialist to guide your business through GDPR compliance seems a very worthwhile investment!
Had a Data Breach? Contact us NOW for guidance from the experts
If you discover a data breach and require our immediate assistance, contact us through this website, or telephone the office directly on 01234 981999 and our specialists will do all they can to relieve the stress of the next 72 hours... and beyond.
Our standard consulting rates for breach management activity are £125 per hour, per consultant, plus agreed subsistence expenses.
Emergency out of hours breach service
Should you discover a breach when most offices are closed, Privacy Helper offer an out-of-hours service that provides support to you when you most need it.
Services include:
• If practical, an on-site visit.
• If not practical, support over the phone as to your immediate obligations.
• Guidance on the likelihood you will need to report to the ICO, or make contact with the data subjects.
Our London Emergency GDPR Data Breach Service starts at £250 per hour, per consultant, with the rest of the UK starting at £200 per hour, per consultant. Reasonable subsistence expenses will also apply for site visits. The Emergency GDPR Data Breach Service operates between the hours of 18.00 – 08.00 Monday to Friday & 18.00 Friday to 08.00 Monday. We will need you to sign the work off before we begin the engagement.
How long do you have to act on a data breach?
GDPR requires you by law to investigate and act on a breach within 72 hours of it being discovered.
How much will this cost?
Our standard consulting rates for breach management activity are £125 per hour, per consultant, plus agreed subsistence expenses.
What next?
Get in touch via our contact us page, tell us about your business and a member of our team will get back to you.
Other services you may be interested in from PRIVACYHELPER
DPO services
We offer DPO packages to suit your business needs – from a basic advisory service for smaller businesses to integrating ourselves within the operation of larger businesses.
GDPR Consultancy
Our Privacy Team consists of expert data protection consultants in the fields of IT & Technical, Legal, Records Management and Marketing.
Training
An effective, demonstrable training programme can be the difference between the ICO imposing monetary fines – or not, even if your data privacy programme has just started.