Breaches in the press
Data has never been more valuable but it seems that data breach incidents are rarely out of the news these days. That reflects the diverse and ever-increasing range of threats to the security and integrity of data. In its first year alone, the National Cyber Security Centre recorded more than 1100 attacks, over half of which were regarded as significant. A breach can result in the loss of valuable business data, damage to reputation and exposure to litigation and regulatory fines.
The General Data Protection Regulation (GDPR) comes into effect on 25 May this year, introducing a requirement for personal data breaches to be notified to regulators (unless unlikely to result in a risk to the rights and freedoms of individuals) and, in certain cases, to the individuals whose personal data has been affected. The GDPR operates a two-tier fining structure. Failure to notify can result in a fine of up to €10 million or two per cent of annual worldwide turnover, while the data breach itself could give rise to the most significant penalties under the GDPR, namely up to €20 million or four per cent of annual worldwide turnover. Other, sector-specific, notification requirements may also apply.
Risky business
There is, unfortunately, no such thing as zero risk of a data breach. Instead, the focus needs to be on managing the risks and ensuring that you are properly prepared to respond to the worst case scenario. This means having the systems and plans in place to be able to detect a breach, contain it as far as possible, identify and assess the risks that result, and make any necessary notifications. That requires thinking about these issues in advance and making sure that your plan has been tested with scenario-based exercises. In the financial services sector, the Financial Conduct Authority has noted that all too often it see firms creating their plans at the same time as dealing with the effects of the incident. Firms in all sectors would do well to heed this lesson and use this time to review the arrangements they have in place for dealing with a data breach.
Plan – what plan?
- How well prepared are you to contain and respond to a significant data breach?
- Would you be in a position to notify the relevant regulators, at the same time as, say, dealing with the press and taking steps to limit reputational damage?
- Have you conducted a scenario planning exercise to test how effective your incident response plan is? Do you have a plan?
If you answer no to any of these questions – don't panic. You're probably not alone and our team of experts can help.
Byte-sized news
- B2B direct marketing – the corporate subscriber. Recent guidance on business-to-business marketing issued by the Information Commissioner's Office (ICO) reminds organisations that consent is not required under the Privacy and Electronic Communications Regulations 2003 (PECR) when marketing to corporate email addresses (i.e. firstname.surname@organisation.com). The PECR distinguishes an "individual subscriber" and a "corporate subscriber" – the rules that are applicable depend on the categorisation. Note that such information could still constitute personal data and be subject to data protection law and, in particular, the GDPR.
- ICO dawn raid powers under Data Protection Bill. The UK's new Data Protection Bill largely mirrors the GDPR, aiming to ensure a compatible regime in the event of Brexit. It also significantly extends the ICO's investigatory and law enforcement powers. Under the Bill, the ICO will have the power to conduct dawn raids against any controller or processor organisation caught under the scope of the legislation. The ICO will issue an assessment notice which will permit it to carry out an investigation, but it must also obtain a warrant in order to enter a premises.
- IoT devices and the GDPR. In a recent post the ICO has reminded manufacturers of Internet of Things devices will need to ensure GDPR compliance from as early as the development stages of their products. Tools such as a data protection impact assessment (DPIA) should be used where appropriate to help identify relevant issues. Before the devices are marketed, it is important to establish how they will maintain compliance with data protection law. For example, software updates to prevent data leaks and transparency on the use of customer data are imperative.
With special thanks to Inbali Iserles, Gita Shivarattan and Shanice McAnuff for their contribution.
