With time and energy being scarce, all of these challenges might seem like problems for another day - until catastrophe strikes.
The majority of our clients are small businesses with growth ambitions. But it can be that very growth which puts companies at risk of breaching data regulations, as well as stretching capacity to deal with problems when they arise.
Businesses growing through acquisition may be struggling to harmonise policies across previously disparate teams. They might have recently begun to accept online payments from credit or debit cards, but have the payment system established before the proper security system are in place. Rapid growth mean that data is stored in servers which are physically removed from one another – potentially on different sides of the planet.
You get a call from the IT department – some data on a server has been decrypted because the encryption key was accessible as plain text. You ask what that means. You are told that the names, addresses, email addresses and credit card information for each customer who has made a payment in the previous weeks has been accessed. The IT guy helpfully points out that the vulnerabilities exploited could have been identified earlier if testing had been done. It’s too late for that now; what is to be done?
GDPR breaches – the practicalities
Any data breaches are subject to the General Data Protection Regulation – GDPR. In the UK the main provision of the GDPR have been replicated in domestic legislation – the so called UK GDPR. The general landscape of data protection is therefore identical Brexit.
The UK GDPR gives regulators the power to impose fines of up to €20m or 4% of global group turnover – whichever is greater. The UK’s ICO has a conservative reputation among European regulators, and is reluctant to impose fines, but the power is retained and should be taken seriously by businesses in breach.
Get the GDPR team together
In this scenario above, while it is clear data has been compromised, it is not clear whether it has been transferred to any wrongdoers. The first thing to do is to convene a team – led by a director – to manage the response process, with the highest priority being given to working out what, if anything, has been taken.
Notify insurers and external advisers of GDPR breach
If you have cyber-liability insurance, you should inform your insurers right away. It is possible that insurers will have their own incident response services that can assist your own efforts. If not, it’s time to appoint external advisers to help – including forensic IT/cyber security consultants, teams who can manage communications with affected customers and, of course, the lawyers.
It is extremely rare for internal IT teams to have the skills necessary to investigate serious data breaches – and they will be asked to spot fallings in their own systems. Instructing lawyers at an early stage can help manage risks; helpful at a time when litigation or regulatory enforcement action may be in prospect.
When do you need to notify the ICO?
The legal obligation is for continual review whether you as a business must notify the ICO of any breach. Where you need to notify, this must be done without undue delay and where possible within 72 hours of having become aware of it, unless the breach is unlikely to create risks to rights and freedoms.
In our example above, there is no direct evidence that the data on the server was compromised, but there may be signs that point that direction. For instance, a large and unexplained file transfer might indicate that a breach has occurred. In this situation, it would be advisable to notify early, “pending further information”.
Do you need to notify customers of the GDPR breach?
The key criteria under the GDPR for whether customers must be advised is whether the breach has a likelihood of creating a high risk of damage to their rights and freedoms. Where this applies, the notification must take place without undue delay and be in clear terms, providing details of the breach and as a minimum :
- the person internally the customer can contact
- the likely consequences of the data breach; and
- what steps are being taken or proposed to deal with the breach and and/or mitigate consequences.
GDPR breaches which do not need notification
Notification to the data subject of a breach is not required where:
- technical and organisational measures applying to the data make it useless notwithstanding the breach (for example where is properly encrypted);
- steps taken have resulted in the potentially high risk created by the breach being unlikely to result in consequences; or
- where it would be disproportionate, given the volume of people who would need to be contacted, for them to all be contacted individually, in which case, public communication or other method of information may be used..
You should take legal advice on whether your customers need to be notified following a data breach. Some businesses will also want to consider obtaining PR advice, especially if they work in industries such as financial services where data protection is likely to be a particular priority. The PR advice might be about more than taking the bad look off the breach – as noted above, where a business has a significant number of customers, it might be that contacting them all is disproportionate. In that case, the public statement might be the only notification the data subjects receive.
What’s the damage?
The ICO advises that their main priority is not fining businesses large amounts of money. Notwithstanding this, a serious breach where the business has the resources to have prevented it, may well mean a significant fine. Key initial action after a breach needs to include conducting a through investigation is conducted, ideally incorporating legal advice and documenting all steps in the investigation.
Gannons can help manage this process, so you have one less thing to worry about when things go wrong.
I know that when the noise dies down there is a solution to be found. I set about that task as quickly as possible.