Articles From the Team
Data breaches after GDPR: a briefing from our recent in-house legal seminar
Last month saw BCL Legal and Addleshaw Goddard’s breakfast seminar on ‘Data Breaches after GDPR’. The entertaining and informative talk was presented by Ross McKenzie, Partner in Addleshaw’s Data and Commercial Services team. After seven months of the new regulations, and after so much anticipation: how have they affected businesses in this time?
There has been significant impact in relation to the reporting of data breaches. GDPR states:
"From 25 May 2018, if you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of any risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. You do not need to report every breach to the ICO."
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Clearly, there's an element of individual opinion around this; something that's led to over-reporting. The ICO has received 500 reports by telephone per week since GDPR came into force and they estimate a third of these to be unnecessary - an obvious and understandable, ‘better to be safe than sorry' approach. No fines have been given so far (for a failure to report), but as Ross pointed out, these are likely to be wrapped up in the fines for the breach itself, especially in more serious instances.
From a legal recruiter perspective, it was interesting to consider that there are now three pieces of data protection legislation in existence concurrently.
- Data Protection Act 2018
- Privacy & Electronic Communications Regulations
Ross noted that at some point, certainly post-Brexit, it would seem sensible to consolidate these regulations. From an in-house lawyer’s perspective, these three documents need to be read together, and policies reflect all of them. Although Google's unlikely to flinch, their recent fine of $50m (for a data breach) highlights the regulators' desire to act; so smaller companies will be extremely keen to avoid getting it wrong.
So what should you do in the event of a breach to reduce the chance of a fine? Ross summarised as follows:
- Record the date and time
- Alert and activate your response team
- Secure the data
- Take machines offline
- Keep accurate records
- Interview anyone involved
- Review protocols regarding information
- Assess priorities and risks
- Is it appropriate to involve an external forensic team?
- Is it appropriate to involve the police?
- Notify insurance brokers
Ross provided a useful summary in relation to notification to the ICO, and the subjects of the data breach. It would appear that the common error of 'CC' instead of 'BCC' doesn’t always need to be reported to the ICO - only if it’s a particularly large number of individuals or if sensitive data's revealed.
In other cases, it would appear it's necessary to inform the ICO: cyber attacks, ransomware attacks, errors in payroll and coding and subjects needs only be informed in high risk situations.
All-in-all, it was an extremely interesting discussion (there was even a relevant mention of Strictly Come Dancing in the mix). I was struck by the fact there are very few ‘right answers’, merely advisable actions. What seems sure is that mistakes will happen and we'll need to continue to monitor the ICO’s response to various scenarios and remain informed.
If you're an in-house lawyer and you’re interested in attending our seminars on a wide range of topics, please get in touch!