Data Breaches under the GDPR
Data breaches are back under the spotlight following the decision by the Information Commissioner’s Office (“ICO”) to issue a £500,000 fine to Facebook on 24 October 2018. The fine relates to Facebook’s failure to protect users’ personal information and the subsequent use of such data in political campaigning by companies including Cambridge Analytica.
It is a timely reminder to all organisations regarding the possible legal and regulatory ramifications of suffering a data breach. The ICO have been at pains to make clear that the fine issued to Facebook was the maximum sum they could impose as the events relating to the breach all took place before the General Data Protection Regulations (“GDPR”) came into force in May this year.
Under the GDPR the ICO, and other national supervisory bodies, now have the ability to levy much more onerous fines to organisations for data breaches and British Airways (“BA”) may well be looking on with some anxiety. BA announced earlier this year that they had suffered a “hack” which affected around 380,000 transactions in which the personal data of their customers being compromised. BA issued an update on 26 October 2018 admitting that the holders of a further 180,000 payment cards, have also been affected and that their name, billing address, email address, card payment information, including card number, expiry date and in some cases the CVV have potentially been compromised. The ICO has confirmed that it is currently investigating the BA breach. Since the breach occurred after May 2018, any fine the ICO decides to issue will be subject to the new law under the GDPR. Under GDPR are two tiers of administrative fines which BA could potentially face depending on the severity of the breach and any failures by BA:
- Up to 10 million euros or 2% of its annual global turnover, whichever is higher; and
- Up to 20 million euros or 4% of its annual global turnover, whichever is higher.
What is a data breach?
It is important to recognise that under the GDPR, the legal definition of a data breach is widely defined:
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Most people would probably recognise that a cyber security “hack”, like in the case of BA, would be classed as a data breach however under the above definition even accidental loss or deletion of data could amount to a breach.
The supermarket chain Morrisons recently lost their appeal in the Court of Appeal against a High Court ruling that it was vicariously liable for an employee's deliberate disclosure of co-workers' personal data on the internet. In that case the employee who worked for Morrisons as an internal IT auditor copied the personal data relating to other employees, including payroll data, onto a USB stick. He took the stick home and posted the data on the internet. The employees affected were successful in claiming damages from Morrisons which was held vicariously liable for the breaches of data protection law. There is concern that this could be the first in a wave of class actions by employees and customers after a data breach.
As Facebook and Morrisons have found out (and BA are likely to find out) there may be significant financial consequences involved after a data breach and therefore it is very important to ensure that within organisations staff are trained to be able to quickly identify when a breach has occurred and that there are internal reporting structures in place so staff know to whom they must report any breach. In addition, it would be prudent for organisations to have a data breach policy in place which formalises these processes and holds staff to account.
Steps a company should take if they have been affected by a data breach
Internal reporting
One of the key themes introduced by GDPR was the concept of accountability which runs through the regulations. Organisations are now required to be able to demonstrate how they are compliant with the regulations and this is largely met through having in place internal records, policies and registers demonstrating data protection compliance. One such document is an internal breach register. Organisations should maintain a breach register on which they record the factual circumstances of any breach suffered, what was done in response to the breach and any improvement measures implemented in order to prevent further breaches from happening.
Notification requirements
Organisations who suffer the misfortune of a data breach should also be aware that they may be under a legal requirement to notify either a supervisory body (which will be the ICO in the UK) or the affected individuals within a certain time limit after a breach. Organisations will be expected to notify the ICO where a breach is likely to result in a risk to an individual's rights and freedoms. There are a number of factors a data controller will need to consider when assessing the risk to individuals including the type of breach, nature, sensitivity and volume of personal data, ease of identification of individuals and severity of consequences for individuals.
If such an obligation to notify arises the data controller must then make their notification to the ICO “without undue delay” and, where possible, not later than seventy-two hours after having become aware of it. Should this take longer, then justifications must be given for the delay. Awareness of the breach is deemed to be when an organisation has a reasonable degree of certainty that the breach has occurred. If a data controller decides they are not under an obligation to report the breach, then they need to be able to justify this decision, so the breach should still be documented in the internal breach register (see above) and the justifications noted.
There may also be a requirement to communicate a breach to individuals, which is triggered where a breach is likely to result in a high risk to their rights and freedoms. The threshold for communicating a breach to individuals is higher than for notifying the relevant supervisory body.
The recent cases of Facebook, BA and Morrisons reiterate the growing importance of being able to quickly identify and properly respond to data breaches. If you would like to speak to someone regarding data breaches or data protection compliance then please contact our Commercial Team on 01603 610911.