In this blog, we explore: what constitutes a data breach and personal data; the responsibilities of businesses processing this data; who regulates data breaches in the UK; and key steps you can take in the event of a data breach.
According to GOV.UK, “a data breach is a security incident that results in personal data you or your company holds being: lost or stolen, destroyed without consent, changed without consent or accessed by something without permission.” Some of the most common causes of a data breach include stolen information (often resulting from simple human error); ransomware attacks (where threat actors encrypt data and demand a ransom payment for its release); and phishing (where third parties create sites or emails that look genuine but contain malicious links).
Personal data refers to information that directly identifies an individual, such as a person’s name or address, or information that can indirectly identify an individual like a personal email address or telephone number.
Anyone within an organisation that directly or indirectly interacts with personal data has a responsibility to ensure it’s handled in a responsible and GDPR-compliant manner.
Data controllers, including businesses, organisations, charities and associations, have the responsibility of deciding how personal data is processed and protecting it from harm.
Dara controllers can delegate the processing of personal data to what is known as a ‘data processor,’ but they still retain responsibility for the security of personal data. Data processors, of course, have to protect people’s personal data, but they’re only acting as per a controller’s instructions.
In simple terms, a data controller is the organisation that solely or jointly determines the purpose and means of processing personal data. For more information, refer to the GDPR guidelines.
A data processer is the organisation processing personal data on behalf of the data controller.
Under GDPR law, data controllers and processors are required to designate a data protection officer where:
The DPO should report into the highest level of management within the organisation, and be appointed if any of the above points are met, regardless of company size. A DPO doesn’t have to be an internal employee; you’re able to outsource this.
Even if you’re not regulatory obligated to appoint a DPO, it’s highly recommended as good practice to have at least one data privacy officer in place.
It should be noted at the time of writing, UK data protection law is currently being revised and as such, your obligations, as well as requirements to appoint a DPO, may change in the near future.
Data owners are accountable for data security, and for this reason, are usually held liable for any damage (and associated claims for compensation payable to an individual) if its processing activities infringe on UK GDPR.
The Information Commissioner’s Office (ICO) is responsible for enforcing Part 3 of the UK Data Protection Act 2018 (the UK implementation of GDPR). The act introduces a duty on all organisations to report certain types of personal data breaches to the Information Commissioner. You must do this within 72 hours of becoming aware of the breach — where feasible.
Yes! Firstly, you can be fined up to £8.7m or 2% of your global annual turnover if you fail to notify the ICO of a breach when required to do so. This can be combined with the ICO’s other enforcement powers to fine organisations up to £17.5m or 4% of global annual turnover for serious breaches of data protection principles. In both cases, the fine is whichever figure is higher.
As well as issuing the fines mentioned above, the ICO has several enforcement tools, such as assessment notices, warnings, reprimands and enforcement notices. The ICO takes a risk-based approach to enforcement, focusing more on cases involving reckless or deliberate harms, and is therefore unlikely to take enforcement action against any organisation genuinely seeking to comply with the provisions of the legislation. Nor does it seek to penalise organisations where a member of staff has made a genuine mistake when acting in good faith and in the public interest; for example, in an emergency situation or to protect someone’s safety.
It’s critical to have an incident response plan (IRP) that’s regularly reviewed, tried and tested. An effective IRP should:
1. Engage third-party specialists, including your cyber insurers (if applicable), incident responders, crisis communications specialists, IT forensics, external counsel and TransUnion who offer a data breach service for your consumer remediation needs
2. Consider how your business will function if systems are taken down
3. State how you’ll manage regulators, including the ICO, and handle any litigation from those impacted
4. Have the tools and expertise in place to take down data from the internet
5. Communicate no wider than necessary and only in confirmed facts when outside of the breach working group, and consider what could be held against you in any future litigation.
6. Understand investigations can take many months to complete depending on the complexity of the incident
7. Be ready at all times with third-party specialists and internal stakeholders on deck for any data crisis — and tested offline backups in place
By law, you must report a personal data breach to the ICO without undue delay (if it meets the threshold for reporting) and within 72 hours. That threshold is dependent on the likelihood of the breach resulting in a risk to the rights and freedoms of individuals impacted. If left unaddressed, risks could include:
You must also communicate the data breach to all individuals impacted without undue delay where there’s a high risk to their rights and freedoms. This high risk means the threshold is higher than that for reporting an incident to the ICO.
A data breach is an event in which personal data has been lost, changed, accessed or shared without permission of the individual who that data is about. Organisations that deal with personal data have a responsibility to protect and use it appropriately and compliantly as part of GDPR law. The ICO is responsible for enforcing GDPR and DPA laws for personal data breaches and has enforcement powers inclusive of fines. In the event of a breach, businesses must act to investigate, mitigate and respond. When a data breach occurs, businesses communicate with the ICO (where the threshold is met) within 72 hours, and have a duty to inform affected individuals in a timely manner.