Data breaches: losing a fortune

Data has value, personal data in particular. It can be amalgamated, sorted and subjected to in-depth interrogation in order to reveal identities, preferences and behaviours. The results inform advertising and sales strategies in the competition for market share. Products are designed to meet the requirements of computer-generated profiles for various geographic and demographic groups – data is big business.

For individuals, data has additional worth: where personal data is accidentally or maliciously released, jobs, financial security and livelihoods can be lost. Reputations may be shredded by the unhelpful publication of private events, and family relationships may be harmed. Finally, for criminals, personal data is a fantastic opportunity. Armed with bank account details, names, addresses, and a minimal amount of family information, a scammer has all the basic ingredients needed to attempt payments or identity fraud.

Entities of all sizes, across all sectors, collect, process and store vast quantities of personal data, but do not always adequately protect it from theft or misuse. Because of this, new legislation is about to come into force, which is designed to improve processes and safeguards surrounding such data. From 25 May 2018 most organisations, and some individuals, will be required to comply with the EU General Data Protection Regulation (GDPR). Family offices, small businesses, charities and even social and sporting associations are not exempt.

The Information Commissioner’s Office (ICO) enforces data protection regulation in the UK, and loss of personal data (whether accidental or malicious) is the main way that an entity will come to their attention. Once the GDPR is in force, it will be mandatory to make a formal notification to the ICO if a data breach is “likely” to pose a risk to the rights and freedoms of the relevant individual. Breaches must be notified to the ICO within 72 hours from the moment that the organisation becomes aware that a breach has occurred. Failure to make a report can result in a fine up to €10 million or 2 per cent of worldwide turnover (whichever is greater), so it is vital to manage these situations appropriately.

In order to do this, organisations must have a set process, tested in advance, to allow them to investigate, assess and determine whether to notify the ICO within the permitted timeframe. It is important to bear in mind that the circumstances in which this process is being implemented may not be ideal – while the ICO might be sympathetic if your servers have been ransomed, your email has been shut down and your IT manager is on vacation, this is not an excuse for non-compliance under the law. External assistance may be required, and organisations should identify in advance who they might turn to for help in such circumstances.

If a notification to the ICO is necessary, the next question is whether there is a “high risk” to the rights and freedoms of the individuals concerned. If the answer is yes, each of those individuals also needs to be notified about the breach promptly. Such a disclosure may have wide-ranging repercussions, not least because the individuals affected are statistically likely to be employees and/or customers. Care should be taken to craft an appropriate message, with an eye to the potential for future claims as a result of the breach.

GDPR represents a significant shift in data protection regulation in the UK and must be taken seriously. Organisations must be prepared both for changes in their day to day data processing, and also the “disaster” scenario of a data breach. However, with appropriate advice, and the proactive engagement and input from management, negative consequences from any breaches can be minimised.