Recent serious breaches of Data Protection have been reported this week in Northern Ireland and Scotland. In both cases, individuals have been put at risk because of inadvertent human error actions causing personal sensitive confidential data to be released.
The General Data Protection Regulation (GDPR) came into effect on 25th May 2018, with the goal of protecting personal data and upholding individual privacy rights within the European Union. Even with the UK’s exit from the EU, similar legal Data Protection principles have been maintained that employers in England and Wales must comply.
Potential Consequences of a GDPR Breach:
- Financial Penalties: Non-compliance can result in the ICO imposing fines of up to £17.5 million, or 4% of the organisation’s annual global turnover for a substantial breach, and £8.7 million or 2% for a standard breach, whichever is the higher amount.
- Reputation Damage: Breaches can lead to a loss of trust among customers and stakeholders, potentially harming long-term business prospects.
- Legal Challenges: Individuals affected by the breach may seek legal recourse, leading to further financial burdens and negative publicity.
- Operational Disruption: An investigation into a breach could interrupt daily business operations, causing delays and inefficiencies.
Actions to Take in the Event of a Data Breach:
The first rule, do not panic but do not ignore it, especially if it is a serious breach. Whether it is your customer’s credit card information, or your patient’s personal records, or your employees’ employment details, someone, somewhere can use the leaked information, and not for good.
- Immediate Containment: Identify and isolate the breach to prevent further unauthorised access or dissemination.
- Assessment and Documentation: Gather as much information about the breach as possible, including what data was affected, how the breach occurred, and who may be responsible.
- Notify the Supervisory Authority: In England and Wales, report the breach to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it, together with an action plan of how you propose to rectify the breach.
- Inform Affected Individuals: If the breach poses a risk to individuals’ rights and freedoms, notify them promptly and provide guidance on protective measures they can take. If the individuals involved are your own employees, as in the case of the entire Northern Ireland police force, then the consequences and fall out from the breach must be tackled as an immediate priority, as staff are going to be really angry and distrustful. The negative ripple effect on staff morale and retention should not be underestimated.
- Engage Legal and Forensic Experts: Seek professional advice to ensure that actions align with legal obligations, and gather evidence if needed. This is particularly important when the breach is as a result of IT hacking.
- Implement Remedial Measures: Strengthen security measures to prevent future breaches, and restore systems to full functionality.
- Monitor and Analyse Impact: Continuously monitor the affected systems and data to detect any ongoing or secondary threats.
- Develop a Communication Strategy: Provide clear and accurate information to staff, customers, and stakeholders, and manage the public relations aspect of the breach.
- Review and Update Policies and Procedures: Analyse the breach to understand underlying weaknesses, and update policies and training accordingly. Again, in the Northern Ireland Police case, why was all of that key staff information on a single Excel spreadsheet? Who had the authority to access that information? Who authorised putting that spreadsheet onto a website, and if it was down to human error, were there checks in place to make sure that this did not happen?
- Insure Against Future Risks: Consider investing in cyber liability insurance to mitigate potential financial consequences of future breaches.
The complex nature of data protection and corresponding legislation in England and Wales requires all organisations to take the acquiring, handling, storage and disposal of personal sensitive data very seriously. Investing in robust security measures, staff training, and preparedness planning can mitigate the risks and help organisations navigate the challenging landscape of data protection compliance.
By understanding the dangers of a data protection breach, especially involving your own staff, and following the outlined actions stated above, mean that organisations can not only respond effectively to breaches, but also foster a culture that prioritises data privacy and security so that breaches, whether due to human error, deliberate or criminal, simply do not happen.
The guidance provided in this article is just that – guidance. Before taking any action, make sure that you know what you are doing, or call an expert for specific advice.