Every organisation should already understand the importance of keeping client data secure.
However, under the Data Protection Act 1998 there is no obligation to report personal data breaches. This will change in May 2018 under the General Data Protection Regulation (GDPR) which will introduce a data breach notification requirement and potentially high penalties for non-compliance.
The GDPR defines a personal data breach it as
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (Article 4(12)).
If there is a breach, the data controller must notify it to the supervisory authority (which in the UK is the ICO) when it is likely to “result in a risk to the freedoms and rights of natural persons” (Article 33). In addition, if the breach results in a risk to the freedoms and rights of the data subjects, and if there is a high risk, they must in addition report the breach to the data subjects themselves (Article 34, subject to several exceptions).
The breach must be reported within 72 hours of becoming aware of it, so all employees should understand what to do and who to contact internally. If you do not meet the 72 hour deadline, you must justify the reasons for the delay.
Article 33 of the GDPR specifies that the notification to the supervisory authority must include:
- name and contact details of the Data Protection Officer
- the nature of the data breach (including the categories of data, number of data records or number of data subjects affected)
- likely consequences of the breach
- measures taken to address the breach.
Under Article 33(5) you will have to maintain documentation on data breaches, their nature and what remedial actions you took.
Whilst there is a lot of hype around fines under GDPR and huge fines are unlikely to be imposed immediately, the worst case scenario should be considered. Fines can be up to €10m or 2% of the total worldwide annual turnover of the previous financial year, whichever is higher for failing to report a breach. On top of this is the risk of reputational damage caused by a breach, which could in turn have even more serious consequences for the business than the penalty itself.
The key is to have systems in place to minimise the risk of a breach in the first place, but also to make sure that you have processes in place to ensure speedy notification if a breach does occur.