GDPR and Data Breaches

Transcript of the Video

Good evening ladies and gentlemen. Suzanne Dibble here, data protection law expert, coming to you raw and uncut from a slightly chilly air-conditioned room, hence the cashmere wrap, but a welcome really from the 35 degrees plus outside. What I'm I going to be talking to you about tonight?

I'm going to be talking to you about GDPR and data breaches, and say a significant part of the GDPR legislation with potential fines of up to 10 million Euros or 2% of your worldwide turnover, whichever is the higher if you get it wrong. It is a key part of GDPR.

Firstly what is a data breach? Well, article 412 says that a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed. Okay.

What's that mean in reality? Well, so for example, obviously somebody hacking into your system and stealing your data would be a data breach. You or your staff sending emails to the wrong person is a data breach. An employee leaving their computer on the train or personal data that's been printed out in the toilets and it being lost or stolen is a data breach. Somebody altering personal data without permission is a data breach. If somebody's hacked in or an employee has made an alteration without permission, that would be a data breach. Loss of availability of personal data, for example, if it's become corrupted or been destroyed would be a personal breach. Fairly obviously, if you've got a ransomware attack, where something's been encrypted and you need to pay an amount to get a key to encrypt that back, that is also an example of a data breach. That are just some examples, but that kind of gives you the flavor of the types of things that we're dealing with here.

, if you have a data breach, what is your obligation under GDPR? Well, there are two things to consider here. The first is that, you've got to report it to your supervisory authority, so that's the ICO or whoever else it might be. You've got to report it within 72 hours of becoming aware of the breach unless it's not likely to result in a risk to individual's rights and freedoms.

Okay, so if you, maybe there has been an authorized alteration to an employee phone list, okay. That's unlikely to result in a risk to individual's rights and freedoms, so you wouldn't have to notify that. I'll be saying much more about that in a bit, but that was just an example. It's not always that you have to notify the ICO, it's only if it's likely to result in a risk to individual's rights and freedoms that you would have to notify the ICO. If you have to notify, then you've got to do within 72 hours of becoming aware of the breach.

Now the second part is, that you must report the breach to the individual concerned, where it's likely to result in a high risk to the rights and freedoms of that individual. Okay, so to report it to the ICO or the relevant supervisory authority, it's a risk to the individual's rights and freedoms. If you have to report it to the individual if there's a high risk to the rights and freedoms okay. With reporting it to the ICO it's 72 hours of becoming aware of the breach and when reporting it to an individual, then it's without undue delay, which is legal terminology for as soon as possible.

Okay, so what you need to do if you have a data breach, you obviously need to decide if it's likely to affect people's rights and freedoms, and if so how severe it is. Now if it's unlikely, I'd say this unlikely, this table keeps jiggling about, doesn't it? Sorry if it's disturbing the visuals here. I shall take my hand off the table and hope that it doesn't jig. Yeah, so if it's unlikely to result in a risk to individual rights and freedoms, you don't need to notify.

What you still need to do,is to document that and to keep it on record. We know now, if you've listened to any of my videos, the ICO is very keen on seeing if there is any investigation, they're keen on seeing that we have considered it, we've documented it and we've kept it on record, so that we can talk to the ICO through our decision-making processes at that time. Even if you don't need to notify, you still need to, if you've had a data breach, document it, really consider it, show your reasons as to why you're not notifying or your reasons why you are notifying and keep that on record.

What is likely to be a high risk? What is going to be high risk for rights and, to rights and freedoms of individuals? Well obviously, if it's likely that an individual might suffer discrimination or identity threat or fraud or financial loss or damage to reputation, then they are classed as high risk. Okay, so if it's any chance of any of that happening, then you need to be notifying the ICO pretty quickly and also the individuals concerned.

Now with sensitive data, and we know what that is, I'll re-post the definition of that in the comments below, but we know that that is things like your racial or ethnic origin, your sexual persuasion, your religious beliefs, your political beliefs, et cetera, things like that. I'll post the exact definition in the comments below, but if you, if it is a data breach of sensitive data, then again, chances are that's going to be high risk and that is something that you would notify both the ICO about and the individuals concerned.

Right, let's look at, let me just go through my notes here, let's just look at some more examples of what would be considered to be a risk, and high risk in terms of whether you'd need to notify the ICO and the individual. This is from the working party guidance on this. You need to consider the type of breach. There's a number of things you need to consider.

The first one is, it's the type of breach. If you're, in terms of what has happened, is it that someone's hacked in or is it that the data's become corrupted? Obviously, someone hacking in is going to have, is going to be a lot more high risk than if the data simply become corrupted. For example, if the medical information has been disclosed to an authorized person, that's going to have a higher risk of adversely affecting someone's rights and freedoms, as opposed to where medical information has just been, it's been lost and it's no longer available. Maybe notes have got lost in the system or something like that. You need to look at the type of breach firstly.

Then you need to consider the nature, sensitivity, and volume of the personal breach. The more, as I've already said, the more sensitive the data, the higher the risk of harm, but it depends on the circumstances. An example that they give in the working party guidance is that normally disclosing a name and address of one person would not be considered to be high risk, but if it's disclosing the name and address of an adoptive parent to the birth parent, then the consequences could be severe for both the adoptive parent and the child. It's very much you have to look at the individual circumstances of each case.

A combination of data is typically more sensitive than a single piece of data. For example, if you've got somebody's home address and financial details, then that is likely to lead to, more likely to lead to identity theft or some kind of fraud or financial loss than, if it's just your home address, for example. Another example that they gave is, if a list of customers who are accepting regular deliveries might not be particularly sensitive, but if there's that same data that together with that, there's also a list of, though the dates that those customers have requested those deliveries be stopped, because they're on holiday, then obviously that would be useful information to criminals.

Though that data combined would be a lot more sensitive and therefore higher risk than just the fact that, either the dates that they're going on holiday without their address or just the regular deliveries and their addresses without the piece about them going on holiday.

How to look at, how easy it is to identify specific individuals? Is there a certain level of encryption that's been used that would make it more difficult, in which case that would lower the risk or any pseudo, I never say this word, pseudonymization, then again that would be low risk.

You have to look at who the data has been disclosed to. Say for example if an employee's just sent a file to the wrong client and you can reasonably rely on that client's assurance that they will delete it, then that will be different too, if you don't know the person that's been disclosed to or of course if someone's hacked in and stolen it, then it would be a lot higher risk.

You also need to think about the vulnerabilities of data subjects. If it's elderly people with dementia for example that are being targeted for, I don't know, their names and addresses so that unscrupulous salesman can go around and con them out of their life savings, then obviously that's high risk. You have to look at the number of people affected, generally, the higher the number of people affected, the greater the impact and the more likely you are to need to report it. Saying that, that's again not an absolute, you have to look at the circumstances. There are cases where just the loss of one person's data would need to be reported, and you also need to look at the characteristics of the data controller. For example, medical organizations would be generally a higher risk than others.

What information, if you've got a breach and actually there is this hilariously, got to put this thing, there is, I came across this. Oh someone's having a party upstairs. Where is this, let me try and find it for you. It is, here we are, recommend, I'll post it in the group, you can have a look at it now. I suspect that nobody will use it, because it's so complicated, but I will post a link to recommendations for a methodology of the assessment of severity of personal data breaches and good luck to you if you can make that into a workable document in your business.

Okay, if you can and you do that, then do post it in the group for everyone to use. I'm sure everyone will be enormously helpful, enormously grateful. I'll post that just for you to have a look at, see how complex it is, but that's not, the point is, you've got to do that risk analysis exercise if there's been any data breach. If you're in any doubt, then talk to an expert and get the help that you need, because like I say, if you fail to notify when you should have done, then there is a fine of 10, potentially, again it depends on the severity of what's happened. Potentially there's a fine of 10 million Euros, so you've got to take it seriously.

Okay, so what information do you need to give to the ICO? Now, this is, I'll say there are the two aspects, one is identifying the ICO or whichever supervisory authority it is, and the next bit is notifying the individual. This is what information you need to give to the ICO or the supervisory authority. When reporting a breach, you have to provide a description of the nature of the personal data breach, including, so what that means is, a description of the nature of the personal data breach that would mean, somebody has hacked into our systems or such an employee left the computer on the train and it wasn't password protected  etcetera. You have to also, where possible, provide details of the categories and the approximate number of individuals concerned, and the categories and the approximate number of personal data records concerned.

Okay, so if you've got, if you had a spreadsheet and there are 10 customers on there and their details, then that's what you would tell them. However, if it was an access to a database on someone's lost computer that was properly password protected or encrypted, and you've got 50000 records on that, then that's the figure that you'd give to the ICO.

You also have to provide the name and contact details of the data protection officer or if you haven't got a data protection officer, another contact where more information can be obtained. You need to provide a description of the likely consequences of the personal data breach and a description of the measures taken or proposed to be taken to deal with the personal data breach, including where appropriate the measures are taken to mitigate any possible adverse effects. You've got to write all of that and send it to the ICO.

Now, let me just see, right. I'll also post the link where you would report it to, okay. There is a dedicated number that you can call and I'll post the link to that, and it's open Monday to Friday between nine and five, but they close after one on Wednesdays for staff training. You can, well actually it says, "If you've experienced a data breach and need to report it, but you're confident you've dealt with it appropriately, you may prefer to report it online. You may also want to report a breach online if you're still investigating and we'll be able to provide more information at a later date. If you're reporting online make sure you include the telephone number of someone familiar with the breach," blah, blah.

I think their sort of the main steer is to actually phone them up and discuss the breach, but obviously, if you become aware of it at Friday at 6 PM, I would be, not waiting until the Monday to speak to them. I would be notifying them of it, online and following up with a call on Monday morning.

Okay, so what information do you need to provide to individuals? Okay, so you've ascertained that there's a high risk to the rights and freedoms of individuals and therefore you have to notify the individuals. Remember that's not within 72 hours, that's ASAP. Then you need to provide them with the following information: the name and contact details of your data protection officer or another contact, the description of the likely consequences of the data breach and a description of the measures being taken to deal with the breach and to mitigate the possible adverse effects.

Okay, it's quite a, it's going to be quite a difficult letter to write, isn't it really? I don't envy anyone who has to write that letter to an individual or indeed to receive it. If we as individuals are on the receiving end of that letter, not very pleasant, is it? That's the name and contact details of the DPO or other contacts, the description of the likely consequences of the data breach, which I imagine a, pretty hard to be certain of, aren't they?

I mean if, if someone's hacked in, actually you can assume malicious intentions, but you don't exactly know what they're going to do with that. I would be talking about the loss of confidentiality and obviously, you'd be explaining you know what was the actual data that was actually breached, and the description of the measures being taken to deal with the breach. What are you doing? Have you hired security experts to track down the hacker? Are you liaising with the police? Are you liaising with the fraud squad or whoever they're called these days? How are you mitigating the possible adverse effects?

I think obviously, if you do have a data breach, then that's the point when you reach out to the experts for help. Obviously, I think if it is a breach that you need to notify, then I would definitely be reaching out to lawyers and to security specialists to help you with that.

Now, a key point also is that you need to record all breaches even if they're not notifiable. Section, oh sorry, article 33-5 sets out the way that you need to record them. Okay, there's a certain way that you need to record your breaches, that is a breach record form in my GPPR pack and that's coming out I think next week, because obviously if you buy my pack, the documents being time released, we've released five weeks out of seven. Then we've got two more weeks to go and I think that's either next week or the week after, but that's in the pack.

Then as I said, if you do fail to notify when you should have done, it's 10, up to, I'm not saying this is a blanket case, where if you fail to notify you will be fined 10 million Euros, but that's the maximum fine that can be imposed for a failure to notify a data breach. 10 million Euros or a 2% of your global turnover for the last 12 months, whichever is the higher.

I say, a fairly serious part of GDPR and as  small business owners, we talk about that, there was a great post today that elicited hundreds of comments from people saying, "Oh you know this is just such a pain in the bum for a small business owner. We've got a business to run, we haven't got time to think about this." This is really the heart of what GDPR is getting to, data breaches and it's only right that the sanctions have increased.

Let's hope that it doesn't happen to any of us, on either side of the fence. Whether it's us as business owners, where we had a data breach or where it's us as consumers and data subjects, where it's our data that has been breached. A very difficult position to be in on both sides of the fence. Oh, hang on a minute.

This is where data security really comes into its own, and if you haven't yet watched the interview that I did with Lewis our security expert, then please do that. I think I'll also have another interview with another security expert just on a, with some slightly different angles in there in the next few weeks. You know security is key and it is not like we don't have provisions at the moment under our existing data protection laws that say we need to keep our data secure. It's nothing new. What's new of course is the fines and the seriousness with which this is being taken.

Again, I don't want to panic any of you, if you're not processing high volumes of data or sensitive data or you know there is, you can't think of any consequences whereby there could rights and freedoms affected of individuals. If an employee just prints something out and leaves it on the train, that's what I'd encourage you all to do actually, is think about what's your worst-case scenario for the data that you hold?

If an employee does print something out and leaves it on the train, what's the worst-case scenario? If someone hacks into your systems, what's the worst-case scenario? Have a think about that, and if of course, you come to the conclusion that you are a membership association of 20 people and there's absolutely no sensitive data and nothing that would cause anyone any harm, then great. You can totally relax about it, but if you're not, then I think that is where you really need to brush up on all of the security of your data and also that of your processes of course. If there is a breach of your data through the processes actions or inactions, then you still need to report that breach and there's an obligation on the processor to, if the processor becomes aware of a breach that concerns your data subjects personal data, the processor has to tell you about that. Then you have to report that breach and that obligation should be in your agreement with your processor and of course is in the processor agreement that's in my pack, it's in there.

It's key a piece of GDPR, something to be taken seriously. Like I said, I just hope that we're all in this group neither on either side of a data breach, whether that be our businesses or as the data subject. Okay, I think that's enough for tonight. Oh gosh at 23 minutes yes, I think that's one of my longer videos, but I hope that's been helpful. I haven't really touched on data breaches before, so hopefully, that gives you a good overview as to what you need to be thinking about you ever need to. I hope you don't, but it's there in case you need to. All right, ladies and gentlemen, I will catch up with you tomorrow.