Global menu

Our global pages

Close

New rules for Data Processors and Data Controllers - Personal Data Breaches

  • United Kingdom
  • Industrials - Chemicals

18-12-2017

An area of the GDPR that is causing businesses the greatest concern is the imposition of legal obligations relating to Personal Data Breaches. Failure to comply with these obligations could expose organisations that deal in personal data to the risk of enforcement action, including potentially substantive fines and claims for compensation or damages. Therefore, it is key to have the necessary processes in place to effectively deal with and mitigate any potential liabilities caused by a Personal Data Breach before the GDPR comes into effect in the UK on 25 May 2018. In this article we explore the implications of a GDPR Personal Data Breach, the impact this may have on your business operations and the key elements of breach management in the chemicals and energy sector.

New rules for Data Processors and Data Controllers

Data Processors (organisations processing personal data on behalf of a Data Controller) will be required to notify the Data Controller of any Personal Data Breach without undue delay after they become aware of the breach. This extends to any Personal Data Breaches irrespective of whether or not the breach would result in damage to the individuals the personal data relates to.

Data Controllers (the organisations controlling the processing of personal data) in the UK will be required to notify the Supervisory Authority, which in the UK is the Information Commissioners Office (“ICO”) of any breach likely to cause harm to an individual within 72 hours of becoming aware of it. Where the breach is a “near miss” there is no obligation on a Data Controller to notify the Supervisory Authority.

Breach management

When handling any breach, there are a number of key elements:

1.    Reporting – is there a clear and defined channel or process to manage a report of an actual or suspected data breach?

Further, do the breach management processes ensure that:

  • Staff and Data Processors are able to easily report any suspected data breaches?
  • Details of any serious breach are escalated to senior management, together with sufficient information to allow them to make decisions in respect of the breach?

2.    Verification – has a breach occurred, if so, how?

It is important not just to identify whether the breach has occurred, but also to plan measures to contain or mitigate the suspected breach that can be implemented either immediately.

3.    Containment – is the breach ongoing?

Are there any steps that can be used to stop the breach continuing? Before containing the breach, it may be useful to take specialist advice as to whether this may hinder the identification of the cause of the breach or the apprehension of the offenders.

4.    Mitigation – what can be done to limit the impact of the breach?

The breach management process should be able to draw in key personnel and senior managers, not just in legal and IT (including any Data Protection Officer) but also in PR/Communications and any operational units potentially impacted by the breach or any attempts to contain the breach. Where the breach has arisen as a result of the (in)actions of a Data Processor, the contract manager, and possibly a representative of the Data Processor should also be involved.

Reporting

Once it has been established that a Data Breach has occurred, the Supervisory Authority should be notified of the breach, together with any relevant information that has been gleaned as to the causes and potential impact of the breach.

If there is insurance cover, it may require that the insurers are promptly notified of the potential breach, as they may wish to have some input into the breach management process.

If there is a suspicion that the breach was the result of a criminal activity, such as a cyber-attack, it would also be appropriate to inform the police or the National Cyber Security Centre at this point in time.

What should be in a report?

Under the GDPR, the Data Controller is required to provide the following information to the Supervisory Authority:

  • a description of the nature of the breach, including, where possible, the categories and approximate number of data subjects and personal data records concerned;
  • the name and contact details of the relevant Data Protection Officer or contact point;
  • the likely consequences of the data breach; and
  • measures taken or proposed by the controller to address the breach and/or mitigate its effects. This will include, if held, any evidence that Data Protection by Design and Default methodology was used during the development and implementation processes.

A failure to notify the Supervisory Authority within the 72 hours, could result in fines of up to the greater of 2% of global annual turnover for the preceding financial year or €10million.

Costs of a breach

An assessment should be undertaken, as soon as possible, as to the potential scope and damage caused by the breach, not just in terms of volume and types of information at risk, but also the potential damage the breach could cause the data subjects. This, in turn, will give an indication as to the potential liability that the breach could cause.

The impact of a data breach could include:

  • fines of up to the greater of 4% of global annual turnover for the preceding financial year or €20 million in relation to the breach;
  • civil claims for damages arising from the breach;
  • costs incurred in mitigating the breach;
  • damage to brand/reputation; and
  • notifying data subjects.

The GDPR also places a general obligation to notify individuals about the breach without undue delay, if the breach is likely to result in a high risk.

There is also a risk of further reputational damage if the delay in notification is excessive, either from the date the breach commenced or the date the organisation became aware of the breach, unless there are extenuating circumstances that justify the delay, such as where the disclosure would jeopardise a criminal investigation.

Conclusions

When dealing with a breach, it is important to have prepared for it, both in terms of implementing adequate data security measures to tried prevent it, as well as having clear and defined processes to manage the breach and reduce the impact on the individuals who may be affected by it.