In an era of virtual meetings and grappling with occasionally unfamiliar new technology in the course of home working, the potential for mishandling of information and for technological security failings remains - and is perhaps increased. Reports of institutions, public authorities and commercial enterprises losing data, or access to data, after falling victim to phishing scams, malware and hacking attempts continue to flow.
Not only do such occurrences result in disruption, reputational issues and the potential loss of valuable proprietary information, they also may constitute ‘data breaches’ under the General Data Protection Regulation. Any such occurrence therefore has to potentially to take up significant amount of staff time and effort, in a period in which resources and budgets are already overstretched. Under GDPR, a significant breach must be reported to relevant data authorities within 72 hours of the affected institution learning of the incident.
Considering the challenges of remote working and the difficulties that can exist in getting hold of relevant staff members who are balancing multiple responsibilities, it is more important than ever to have plans in place and to act quickly when a data breach is suspected. The maximum fine the Information Commissioner can impose for a breach of data protection laws increased from £500k under the Data Protection Act 1998 to €20million or 4% of global annual turnover, whichever is greater, under GDPR.
In addition to regulatory action, institutions should also proceed with the risk of litigation being brought by those affected squarely in mind. Increasingly, the cost of dealing with complaints is higher than the cost incurred as part of the regulatory process. External advisers can often assist with much of the process – advising to the extent needed on appropriate investigatory steps, drafting notifications to regulators and affected individuals, and coordinating advice and activity across multiple jurisdictions (where necessary). Getting the right input, right from the start, is key.