Data Breach

Need Data Breach Specialists Fast? Avoid Fines and Fix the Breach!

Have You Suffered A Data Breach? The Clock Is Ticking – You Need to Act Fast.

If there’s one thing that a business can expect – it’s when a data breach happens, not if…

Most businesses, at some point, will suffer a data breach. The nature and severity of this will depend upon the type of personal data the business processes, but also how well prepared you are to act upon breaches…. Please remember that the GDPR requires you by law to investigate and act on a breach within 72 hours of it being discovered – which includes weekends and overnight.

If your business is unaware of this deadline, then our expert privacy team can deliver training to ensure the appropriate people in your organisation are aware of their obligations – otherwise, it could be a very costly both in terms of regulatory action, but also civil action.. a double-edged sword.

As part of your preparations for GDPR, the business is required to establish a process for handling data breaches – your Incident & Breach Management Procedure.  If you don’t have one, this should be an urgent task for completion and is something our specialist consultants can provide guidance on and draft for you. It will outline in detail your process for reacting to a data breach incident – and this process should be followed step-by-step.

If the ICO have to get involved with a breach as part of an investigation, this will be one of the first documents they will ask to see – under the accountability principle of the GDPR.  If you’re not able to produce this, it will be a very difficult conversation.

What is a Personal Data Breach?

A personal data breach is defined by the GDPR as: “a breach of security leading to the accidental or unlawful

Destruction of personal data – the personal data has been destroyed. Can include fire or other means. It is for this reason our specialists recommend fire-proof or similar appropriate storage units for important documents.

Loss of personal data – the personal data has been lost, whether this is stolen or misplaced having been left unsecured, or there has been IT systems failure or online hack. It is, for this reason, we urge security to be a key consideration when handling hard copies and this is emphasised during our training sessions.

If the loss is due to an online incident such as a hack or phishing attack, the effect can be devastating and affect not only your business but any business you hold contact details for – especially if someone has opened a malicious link.  In this case, you are working against the clock to minimise the effect on your business and specialist help from our privacy experts might be the only option.

Alteration of personal data – if the personal data you hold is altered in any way, whether accidentally, or by an unauthorised individual, then this is considered a data breach. It could be a member of staff (had they received training, they would hopefully know better), or somebody outside the business who has gained access, or acted as an imposter to change the details – which is why it is so important to verify the identity of an external individual when they contact you.

Unauthorised disclosure of, or access to personal data – it is, for this reason, it is so important to keep devices such as laptops, tablets or PCs locked when the user is not present, as should anyone gain access to personal data they are not permitted or entitled to view, then this is a data breach.

Such is the ease of uploading data to social media networks or making unlawful transfers of files, unauthorised access can often lead to an individual’s personal data being shared online – meaning you have lost all control over the processing of it – a serious failure of your obligations as a data controller and presenting you with the highly embarrassing task of contacting the affected individuals – and also reporting to the ICO.

Do I have to report all Data Breaches to the ICO?

No, but you must keep an internal log of every breach – irrespective of how minor you may consider them.  This is called a Data Breach Log – and you may be asked for this in the event of a major breach and the Supervisory Authority getting involved. If your log shows there is a reoccurring pattern to the breaches you have suffered, this demonstrates you have not gained sufficient learning from these and improved your processes and procedures to prevent similar incidents in the future – something which may result in a fine or processing restriction being imposed.

Once you discover a data breach, you have a deadline of 72 hours to isolate the affected area, conduct your initial investigation and submit a report to the ICO, or log the details internally. This 72 hours includes weekends, so a breach at 16.30hrs on Friday has a deadline of 16.30hrs on Monday – and you will need every one of those 72 hours.

Failure to do this in the initial 72 hours is a breach of the legislation itself and the ICO will want a full explanation of the delay in reporting.  European regulators have already imposed monetary penalties of €15,000 for breaching this deadline – a failure under Article 33 of the GDPR, so the ICO are also likely to take enforcement action.

Specialist guidance from our privacy team could mean the deadline is met with some hours to spare – but that depends on the severity of the incident.

Based on this summary – how confident are you of being able to identify a data breach in your business and be sure you have acted accordingly?  Our team are experienced in this – and will act fast to ensure your obligations are quickly covered off.

Minor Data Breach

If the data breach is unlikely to result in a high risk to the rights and freedoms of the individuals, then you are not obliged to report it to the ICO, or the affected individuals.  A complete record of the incident and the learnings you take, and the remediation measures you put in place must be made in your centralised Data Breach Log. If you are unsure of how your breach should be classified, then you need specialist guidance to ensure your reporting is appropriate.

Medium Data Breach

If the data breach affects a significant number of individuals, then the ICO should be notified by telephone and a report submitted online. They will ask you how it happened, the number of data subjects affected, types of personal data and what you are doing to address/remedy the incident. They may ask you to report back to them to update on your handling of the situation.

Severe Data Breach

This is where the rights and freedoms of individuals have been put at risk as a result of the data breach – irrespective of the number of people affected.

In this instance, you will need to:

  • Activate your Breach Management Plan and ensure a senior manager is overseeing the incident.
  • Identify and isolate the cause of the data breach.
  • Identify the number of data subjects involved and the types of personal data involved
  • Identify what the potential impact on the data breach is – from the perspective of the data subjects.
  • Contact the ICO to formally report.
  • Devise a strategy for the affected data subjects to be contacted via an appropriate channel.
  • Devise a remediation strategy to ensure learnings are made from this incident and there is no repeat.

If the breach is due to a systematic failure on the side of the business, the ICO may decide to conduct an independent investigation. In this event, you can expect a monetary penalty, or other operational restrictions imposed.

It’s worth noting at this point, that companies who engage with Privacy Helper’s DPO Service – will receive ongoing guidance from our team of experts in the event of a data breach, thus removing most of the stress from the initial stage. We are well-versed in handling data breaches. We will also act as the main point of contact when dealing with the ICO.

Fines

Under the previous Data Protection Act, 1998, the maximum fine that could be imposed was £500,000 – which was reserved for Facebook in October 2018.

Under the GDPR, huge fines can be levied

TIER 1 – Lower level fine: €10m / £7m, or 2% of group global turnover.

Processing failures include failure to keep and maintain Records of Processing Activities (Article 30, GDPR), poor security around your processing activities, lack of data protection culture throughout the business and no data privacy impact assessments for new systems and processes.

TIER 2 – more severe processing failures: €20m / £17m, or 4% of group global turnover.

Processing failures include failures around the basic principles of the GDPR, failures of the rights of the data subject, and transfers of personal data to a recipient in a third country or an international organisation.

Fines to date

Many millions of euros of fines have been imposed by European data protection regulators so far, however, the ICO has been less active with fining, preferring to issue “reprimands” intention to fine” notices or orders to stop processing.

The ICO has issued two “Intention to Fine” notices at British Airways and Marriot Hotels.

British Airways initially faced a fine of £183 million, which was reduced to £20m, while Marriot Hotels initially faced £99m, but this was reduced to £18.4m.

Considering the largest fine from the previous Data Protection Act was £500,000 – this is a huge increase and demonstrates how seriously the regulators are taking data breaches that occur due to the failure of organisations to comply with the legislation – remember you are legally required to comply – it is not a choice.

No Win, No Fee…

The data protection authorities will also support individuals who wish to bring civil cases against companies that breach their data through bad or poor business practices. With the end of PPI, claims lawyers are targeting data subjects who have been affected by data breaches to sue organisations for a failure to adequately protect their personal data on a No Win, No Fee basis

So, not only do will you need legal representation for your ICO case, but you will also need representation to fight a civil case.  How much will you need to set aside for legal fees?

Consider also the bad press – all cases the ICO bring are publicised, so your company name will be established with data protection failures. This may cause a desertion of clients or a loss of new business…

Suddenly engaging with a data protection specialist to guide your business through GDPR compliance seems a very worthwhile investment!

Had a Data Breach? Contact us NOW for guidance from the experts

SIMPLE, STRAIGHTFORWARD AND HIGHLY COMPETITIVE COSTS FOR THE UK’S LEADING PRIVACY AGENCY

As with our ethos, our pricing structure is simple, straightforward and highly competitive – we offer fixed-price options.

Audit Only

For companies that will action the output of the Gap Analysis themselves or via a third-party

£175 per hour

(Budget 3 hours per Department/Work Area)

No contract commitment
Single fixed price

  • Basic Gap Analysis (consulting hours based on the number of departments/work areas in the organisation)
  • Initial Discovery Phase
  • Delivery of Executive Summary & RAG Report
  • Report contains both “Quick Wins” and “Long-Term Tasks”

Audit plus Action

For companies that need Outsourced DPO and long-term gap-closure support

£150 per hour

(Budget 3 hours per Department/Work Area)

Leads to a GDPR Action & Outsourced DPO plan
Single fixed price

  • Gap Analysis (consulting hours based on the number of departments/work areas in the organisation)
  • Initial Discovery Phase
  • Delivery of Executive Summary & RAG Report
  • Report contains both “Quick Wins” and “Long-Term Tasks”

Recommended

When on-site, our working day is 9am – 5pm. For site visits, reasonable subsistence expenses are charged, however these are all agreed by you in advance. On large-scale projects, where our Global Privacy Consultants are engaged, fees are £250 per hour.

Our hourly rates mean you only pay for EXACTLY the time we need for the task – our hours are recorded on timesheets, so we are fully accountable for time vs tasks!

At PRIVACYHELPER, we pride ourselves on tailoring packages to suit your business – your needs and your budget. That is why we don’t offer pre-packaged services that your business has to try and fit into.

Once we have conducted the data discovery phase, or reviewed your existing GAP analysis documents, we’ll propose a set number of days per month – based on the size of the business, the challenges you face and the amount of guidance you’ll need from us.

This resourcing model is perfect for most companies, as it offers you the flexibility to use our time intensively when the need arises, but to keep time to a minimum at other times. You remain in complete control of your budgets!

Why choose us?

Click here to find out why we are the UK’s #1 privacy consultancy.

How much will this cost?

Our pricing structure is simple, straightforward and highly competitive. Head over to our pricing page and take a look at our most popular packages.

What next?

Get in touch via our contact us page, tell us about your business and a member of our team will get back to you.

Other services you may be interested in from PRIVACYHELPER

Security Icon

GDPR Consultancy

Our Privacy Team consists of expert data protection consultants in the fields of IT & Technical, Legal, Records Management and Marketing.

GDPR Training Courses

An effective, demonstrable training programme can be the difference between the ICO imposing monetary fines – or not, even if your data privacy programme has just started.

Marketing

Is your marketing activity legal? We can make sure it is.