Companies in the UK need to be aware of their responsibilities in the event of a breach of the personal data they hold. Although the provisions are broadly similar, a breach affecting individuals in the UK will trigger the UK GDPR (and any notifications will have to go to the UK Information Commission Office (ICO)), and a breach affecting individuals in the EEA will trigger the EU GDPR (with notifications going to the relevant EU Data Protection Agency).
Broadly defined, a personal data breach is a security incident that has affected the confidentiality, integrity or availability of personal data. There will be a personal data breach whenever any personal data is accidentally lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals. (Information Commission Office).
The implications of a data breach for an individual are many and diverse, and can include identity theft, fraud, loss of confidentiality, reputational damage and/or financial loss. On their own or cumulatively, these can contribute to emotional distress, physical and/or material damage for one or a group of individuals. While in many cases, such adverse consequences are unlikely, it is critically important that businesses do everything in their power to avoid them, to safeguard affected individuals, and to take all necessary remedial steps.
When it is clear there has been a data breach of any kind, the nominated Data Protection Officer (DPO) should be alerted.
The DPO should assess the scope and extent of the data breach by addressing the types of personal data involved, the number of data subjects, the security measures currently in place, the likely cause of the breach).
Within 72 hours, if the DPO determines that there is a “high risk of adversely affecting individuals’ rights and freedoms”, the breach must be notified to the ICO. Conversely, if the DPO decides that the risk is negligible or low, no external report is required. However, details of the breach should still be recorded on an incident report register.
If it has been determined that a high-risk data breach has occurred, best practice is for the business to alert affected customers at the same time as the ICO so that they can take any relevant safeguarding actions to protect their data. If a business chooses not to take this step, they may be compelled to do so by the ICO in any event. Relevant and transparent details should be provided to customers such as details of the breach, potential impacts and remedial actions being taken by the business.
At the same time as the above steps, incident support or technical teams should be working quickly to take whatever necessary remedial action is necessary to fix vulnerabilities in data storage systems, and to prevent further similar breaches from happening.
A log should be retained of every action and decision taken, and regular communication should be maintained with the DPO.
Once they become public (and this will happen very quickly once customers are notified) data breaches can be highly damaging to corporate reputation if not managed properly.
Taking care of the following will assist businesses in managing and recovering reputation should this occur:
Businesses that have engaged in advance crisis planning will be able to respond much more quickly and effectively to an unexpected data breach thus minimising, and possibly avoiding altogether, reputational damage. There should be pre-appointed key crisis handlers (to include the leaders and CEO).
Some of the negative reputational aspects of a breach may be minimised by keeping a clear and helpful line of communication open with affected customers, updating them on what is happening, addressing their queries (or complaints), and assisting them with any actions they may need to take. Information could be provided on how customers can protect themselves e.g. changing passwords or by being more alert to fraudulent activity on their accounts.
Lessons can be learned from data breaches which can be used to strengthen internal systems, and to provide better services to customers. If businesses can clearly show and communicate this to customers following a breach, it is more likely that a good corporate reputation will be maintained.
The information on this website is intended as a guide and does not constitute legal advice. Vardags do not accept liability for any errors in the information on this website, nor any losses stemming from reliance upon the statements made herein. All articles and pages aim to reflect the legal position at time they were published, and may have been rendered obsolete by subsequent developments in the law. Should you require specialist advice, tailored to your situation, please see how Vardags can help you.