News

GDPR preparation: What do I do in the event of a data breach?

6 min read

26 April 2018

With new data regulations less than a month away from taking effect, our GDPR doctor Neil Larkins explains what happens if a firm is found guilty of a data breach.

In the event of a data breach, GDPR gives regulatory bodies (the ICO in the UK’s case) the right to fine organisations four per cent of their annual global turnover, or €20m, whichever is the greatest.

This is the part of GDPR that almost everyone will be aware of. When the new regulations were announced – and ever since – the headline was the introduction of huge fines of as much as 4 percent of global turnover for businesses flouting the rules.

The legislation gives regulatory bodies (the ICO in the UK’s case) the right to fine organisations four per cent of their annual global turnover, or €20m, whichever is the greatest.

Undeniably, this is a big jump from the £500,000 maximum fine possible under the current Data Protection Act 1998. Big numbers make good headlines but, in reality, a very serious breach would need to take place for the maximum fine to be levied and earlier this year the information commissioner, Elizabeth Denham, said that fines will continue to be a last resort.

However, that doesn’t negate the need to adhere to the legislation. Outlined in our previous columns are a number of steps to ensure compliance in general and, whether the threat of a business-changing fine is present or not, these steps must be taken.

There are, after all, far wider consequences of failing to properly look after data than a fine from the ICO – reputation damage, loss of confidence from investors and the board, customer churn, and so on.

With regard to the first part of the question, and how you deal with the unfortunate occurrence of a data breach, there are new regulations too.

If there is a data breach, you now have to notify the ICO (or the supervisory authority in your jurisdiction if outside the UK) without what is termed ‘undue delay’. This means that, from the time that you become aware of the data breach, you have a maximum of 72 hours to report it, and really should do so as soon as you know about it.

However, there is a caveat here that you do not have to report the incident if ‘the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons’.

So, for example, if the data is encrypted and there is no way any personal information can be gleaned from it, you do not need to let the ICO know. It’s worth noting though that the ICO recommends that if it is decided you don’t need to report it, you need to be able to justify the decision, and so you should document it. If it deems necessary, the ICO can compel you to inform those affected.

Let’s work on the basis that the worst happens and reporting to the ICO is necessary. You will need to provide them with as much of the following information as possible:

  • The categories and approximate number of individuals involved
  • The categories and approximate number of personal data records involved
  • The name and contact details of the data protection officer (if you have one) or another contact point where they can get more information
  • A description of the likely consequences of the personal data breach
  • A description of the measures taken, or you plan to take, to deal with the breach, including any measures taken to alleviate the effects

In the case of a severe data breach (think Yahoo! or TalkTalk) you will also need to inform anybody whose data has been caught up in the breach ‘without undue delay’. When communicating with these individuals, you will need to let them know:

  • The name and contact details of your data protection officer (as above, if you don’t have one, a contact where information can be requested)
  • A description of the likely consequences of the breach
  • A description of the measures taken, or you plan to take, to deal with the breach, including any measures taken to alleviate the effects

Now we come back full circle to the fines. While the four percent figure has repeatedly been quoted, there is actually a lesser fine in some instances – including for a failure to properly report a data breach – of up to two per cent of global turnover or €10m.

Fines or no fines, it’s important every organisation plan for the worst and has a solid data breach reporting process in place. While it is unlikely, for the most part, you’re going to receive the maximum penalty, it’s not worth playing the odds.

Neil Larkins is COO of Egress Software Technologies