Have You Suffered A Data Breach? The Clock Is Ticking – You Need to Act Fast.
If there’s one thing that a business can expect – it’s when a data breach happens, not if…
Most businesses, at some point, will suffer a data breach. The nature and severity of this will depend upon the type of personal data the business processes, but also how well prepared you are to act upon breaches…. Please remember that the GDPR requires you by law to investigate and act on a breach within 72 hours of it being discovered – which includes weekends and overnight.
If your business is unaware of this deadline, then our expert privacy team can deliver training to ensure the appropriate people in your organisation are aware of their obligations – otherwise, it could be a very costly both in terms of regulatory action, but also civil action.. a double-edged sword.
As part of your preparations for GDPR, the business is required to establish a process for handling data breaches – your Incident & Breach Management Procedure. If you don’t have one, this should be an urgent task for completion and is something our specialist consultants can provide guidance on and draft for you. It will outline in detail your process for reacting to a data breach incident – and this process should be followed step-by-step.
If the ICO have to get involved with a breach as part of an investigation, this will be one of the first documents they will ask to see – under the accountability principle of the GDPR. If you’re not able to produce this, it will be a very difficult conversation.
What is a Personal Data Breach?
A personal data breach is defined by the GDPR as: “a breach of security leading to the accidental or unlawful
Destruction of personal data – the personal data has been destroyed. Can include fire or other means. It is for this reason our specialists recommend fire-proof or similar appropriate storage units for important documents.
Loss of personal data – the personal data has been lost, whether this is stolen or misplaced having been left unsecured, or there has been IT systems failure or online hack. It is, for this reason, we urge security to be a key consideration when handling hard copies and this is emphasised during our training sessions.
If the loss is due to an online incident such as a hack or phishing attack, the effect can be devastating and affect not only your business but any business you hold contact details for – especially if someone has opened a malicious link. In this case, you are working against the clock to minimise the effect on your business and specialist help from our privacy experts might be the only option.
Alteration of personal data – if the personal data you hold is altered in any way, whether accidentally, or by an unauthorised individual, then this is considered a data breach. It could be a member of staff (had they received training, they would hopefully know better), or somebody outside the business who has gained access, or acted as an imposter to change the details – which is why it is so important to verify the identity of an external individual when they contact you.
Unauthorised disclosure of, or access to personal data – it is, for this reason, it is so important to keep devices such as laptops, tablets or PCs locked when the user is not present, as should anyone gain access to personal data they are not permitted or entitled to view, then this is a data breach.
Such is the ease of uploading data to social media networks or making unlawful transfers of files, unauthorised access can often lead to an individual’s personal data being shared online – meaning you have lost all control over the processing of it – a serious failure of your obligations as a data controller and presenting you with the highly embarrassing task of contacting the affected individuals – and also reporting to the ICO.
Do I have to report all Data Breaches to the ICO?
No, but you must keep an internal log of every breach – irrespective of how minor you may consider them. This is called a Data Breach Log – and you may be asked for this in the event of a major breach and the Supervisory Authority getting involved. If your log shows there is a reoccurring pattern to the breaches you have suffered, this demonstrates you have not gained sufficient learning from these and improved your processes and procedures to prevent similar incidents in the future – something which may result in a fine or processing restriction being imposed.
Once you discover a data breach, you have a deadline of 72 hours to isolate the affected area, conduct your initial investigation and submit a report to the ICO, or log the details internally. This 72 hours includes weekends, so a breach at 16.30hrs on Friday has a deadline of 16.30hrs on Monday – and you will need every one of those 72 hours.
Failure to do this in the initial 72 hours is a breach of the legislation itself and the ICO will want a full explanation of the delay in reporting. European regulators have already imposed monetary penalties of €15,000 for breaching this deadline – a failure under Article 33 of the GDPR, so the ICO are also likely to take enforcement action.
Specialist guidance from our privacy team could mean the deadline is met with some hours to spare – but that depends on the severity of the incident.
Based on this summary – how confident are you of being able to identify a data breach in your business and be sure you have acted accordingly? Our team are experienced in this – and will act fast to ensure your obligations are quickly covered off.
Minor Data Breach
If the data breach is unlikely to result in a high risk to the rights and freedoms of the individuals, then you are not obliged to report it to the ICO, or the affected individuals. A complete record of the incident and the learnings you take, and the remediation measures you put in place must be made in your centralised Data Breach Log. If you are unsure of how your breach should be classified, then you need specialist guidance to ensure your reporting is appropriate.
Medium Data Breach
If the data breach affects a significant number of individuals, then the ICO should be notified by telephone and a report submitted online. They will ask you how it happened, the number of data subjects affected, types of personal data and what you are doing to address/remedy the incident. They may ask you to report back to them to update on your handling of the situation.
Severe Data Breach
This is where the rights and freedoms of individuals have been put at risk as a result of the data breach – irrespective of the number of people affected.
In this instance, you will need to:
- Activate your Breach Management Plan and ensure a senior manager is overseeing the incident.
- Identify and isolate the cause of the data breach.
- Identify the number of data subjects involved and the types of personal data involved
- Identify what the potential impact on the data breach is – from the perspective of the data subjects.
- Contact the ICO to formally report.
- Devise a strategy for the affected data subjects to be contacted via an appropriate channel.
- Devise a remediation strategy to ensure learnings are made from this incident and there is no repeat.
If the breach is due to a systematic failure on the side of the business, the ICO may decide to conduct an independent investigation. In this event, you can expect a monetary penalty, or other operational restrictions imposed.
It’s worth noting at this point, that companies who engage with Privacy Helper’s DPO Service – will receive ongoing guidance from our team of experts in the event of a data breach, thus removing most of the stress from the initial stage. We are well-versed in handling data breaches. We will also act as the main point of contact when dealing with the ICO.
Fines
Under the previous Data Protection Act, 1998, the maximum fine that could be imposed was £500,000 – which was reserved for Facebook in October 2018.
Under the GDPR, huge fines can be levied
TIER 1 – Lower level fine: €10m / £7m, or 2% of group global turnover.
Processing failures include failure to keep and maintain Records of Processing Activities (Article 30, GDPR), poor security around your processing activities, lack of data protection culture throughout the business and no data privacy impact assessments for new systems and processes.
TIER 2 – more severe processing failures: €20m / £17m, or 4% of group global turnover.
Processing failures include failures around the basic principles of the GDPR, failures of the rights of the data subject, and transfers of personal data to a recipient in a third country or an international organisation.
Fines to date
Many millions of euros of fines have been imposed by European data protection regulators so far, however, the ICO has been less active with fining, preferring to issue “reprimands” intention to fine” notices or orders to stop processing.
The ICO has issued two “Intention to Fine” notices at British Airways and Marriot Hotels.
British Airways initially faced a fine of £183 million, which was reduced to £20m, while Marriot Hotels initially faced £99m, but this was reduced to £18.4m.
Considering the largest fine from the previous Data Protection Act was £500,000 – this is a huge increase and demonstrates how seriously the regulators are taking data breaches that occur due to the failure of organisations to comply with the legislation – remember you are legally required to comply – it is not a choice.
No Win, No Fee…
The data protection authorities will also support individuals who wish to bring civil cases against companies that breach their data through bad or poor business practices. With the end of PPI, claims lawyers are targeting data subjects who have been affected by data breaches to sue organisations for a failure to adequately protect their personal data on a No Win, No Fee basis
So, not only do will you need legal representation for your ICO case, but you will also need representation to fight a civil case. How much will you need to set aside for legal fees?
Consider also the bad press – all cases the ICO bring are publicised, so your company name will be established with data protection failures. This may cause a desertion of clients or a loss of new business…
Suddenly engaging with a data protection specialist to guide your business through GDPR compliance seems a very worthwhile investment!
Had a Data Breach? Contact us NOW for guidance from the experts
