GDPR – how it can go wrong and how to deal with a breach

The majority of our clients are small businesses with growth ambitions. But it can be that very growth which puts companies at risk of breaching data regulations, as well as stretching capacity to deal with problems when they arise.

The UK GDPR gives regulators the power to impose fines of up to €20m or 4% of global group turnover  - whichever is greater. The UK’s ICO has a conservative reputation among European regulators, and is reluctant to impose fines, but the power is retained and should be taken seriously by businesses in breach. 

How a GDPR breach can occur

There are many ways a business can end up breaching the GDPR rules or suffer a data breach. Not all are obvious. As one example that we see quite a lot, a business growing through acquisition may be struggling to synchronise it's growing business in terms of people, policies, equipment and practice. This can easily lead to a data breach, perhaps involving software, payment systems or data security.

How to deal with a data breach

There will be many practical actions but in terms of recommended urgent actions to mitigate the legal position as best as possible, the following are recommended by us :-

• Get a GDPR team together - where it is clear data has been compromised, it may not be clear what the implications and potential damage to 3rd parties is. The first thing to do is to convene a team - led by a director - to manage the response process, with the highest priority being given to working out what data has been breached and whethere it has been maliciously taken.
• Notify insurers and external advisers - If you have cyber-liability insurance, you should inform your insurers right away. It is possible that insurers will have their own incident response services that can assist your own efforts. If not, it’s time to appoint external advisers to help - including forensic IT/cyber security consultants, teams who can manage communications with affected customers and, of course, the lawyers. It is extremely rare for internal IT teams to have the skills necessary to investigate serious data breaches - and they will be asked to spot fallings in their own systems.  Instructing lawyers at an early stage can help manage risks; helpful at a time when litigation or regulatory enforcement action may be in prospect.
• Consider obligations to notify the ICO -  the legal obligation is for continual review whether you as a business must notify the ICO of any breach. Where you need to notify, this must be done without undue delay and where possible within 72 hours of having become aware of it, unless the breach is unlikely to create risks to rights and freedoms.
• Consider notifying the people whose data has been breached - the key criteria under the GDPR for whether customers must be advised is whether the breach has a likelihood of creating a high risk of damage to their rights and freedoms. Where this applies, the notification must take place without undue delay and be in clear terms, providing details of the breach and as a minimum the person internally the customer can contact,the likely consequences of the data breach and what steps are being taken or proposed to deal with the breach and and/or mitigate consequences.

GDPR breaches which do not need notification

Notification to the data subject of a breach is not required where :-

• technical and organisational measures applying to the data make it useless notwithstanding the breach (for example where it is properly encrypted);
• steps taken have resulted in the potentially high risk created by the breach being unlikely to result in consequences; or
• where it would be disproportionate, given the volume of people who would need to be contacted, for them to all be contacted individually, in which case, public communication or other method of information may be used..

You should take legal advice on whether your customers need to be notified following a data breach. Some businesses will also want to consider obtaining PR advice, especially if they work in industries such as financial services where data protection is likely to be a particular priority. The PR advice might be limited initially to a public statement as this might be the only notification the impacted data subjects receive.

Why a rapid and thorough investigation is so important

The ICO advises that their main priority is not fining businesses large amounts of money.  Notwithstanding this, a serious breach where the business has the resources to have prevented it, may well mean a significant fine.  Key initial action after a breach needs to include conducting a through investigation is conducted, ideally incorporating legal advice and documenting all steps in the investigation.

Gannons can help manage this process, so you have one less thing to worry about when things go wrong.