There have been so many news articles over the last few days on data breaches. There is no complete escape from a potential data breach but how you mitigate and manage the risk is critical. As anticipated it is not just hacks that are the source of the breach but also simple human error. Here's a quick list of someone of the most recent ones:
- Bank of Ireland notified the DPC of a breach concerning sensitive staff information. A spreadsheet containing staff performance evaluations was accessible by anyone outside the organisation;
- Bank of Ireland also recently notified the DPC of another breach where the details of 100 staff members' compensation packages were circulated to the wrong people internally;
Think of how awkward the compensation issues is. Not only does Bank of Ireland have to deal with the data protection fall-out and the embarrassing reputation issues, but it also has to handle the employee relations difficulties that will undoubtedly arise!
- UBER has revealed a significant breach that happened last year affecting customer data pertaining to 57 million users. UBER actually paid a ransom to the hackers and kept the issue quiet. The DPC is now investigating whether there is any impact on Irish citizens;
- The Central Statistics Office is also being investigated by the DPC in relation to the P45 details of 3,000 former employees being disclosed by email to the wrong people. Ouch!
These are just some of the recent breaches that have been notified to the DPC and reported in the media. There will be plenty more that are unreported under our current legal framework.
So what difference will GDPR make to these situations?
Firstly, there are mandatory reporting provisions in respect of breaches and there is a very low threshold as to what constitutes a breach. Relevant breaches must be reported to the supervisory authority within 72 hours of the controller becoming aware of the breach. So no escape for UBER if that incident were to happen after 25 May 2018. Whether a breach needs to be notified will come down to an analysis of the risk the breach creates. Any breach that gives rise to accidental or unlawful destruction, loss or alteration of data (which would likely include data being accidentally deleted), will need to be assessed to determine whether the mandatory breach notification obligations need to be complied with. A lot of breaches will have to be notified.
Secondly, in certain circumstances, the data controller will not only have to notify the DPC but may also need to notify the data subject directly. This arises when there is a high risk to the individual as a result of the breach.
Thirdly, fines can arise on two fronts in relation to breaches. There may be a fine for poor GDPR compliance that resulted in the breach. There may also be a fine for not notifying the breach to the DPC or for not notifying it in sufficient time.
Fourthly, processors will have an obligation to notify controllers as soon as they become aware of the breach in a down stream processing situation. They will also need to provide relevant assistance. If the breach occurs and the processor has not been dealing with the data in the manner they should have been, then the processor may also be liable for the breach.
Even if you do have to notify the DPC of the breach, you will still need to apply appropriate breach management procedures to the breach in order to comply with the accountability principles under GDPR. Breach registers will be the norm. Th actions required would include:
- documenting why the breach is not notifiable
- matching this up with your policies and procedures under GDPR
- documenting how the breach has been rectified
- setting out what preventative measures are being implemented going forward
What is clear from the above is that data breach management must form part of an organisation's GDPR compliance plan. Policies and procedures on dealing with breaches should be put in place and communicated to staff. Organisations also need to put in place risk management to reduce the risk of breaches occurring in the first place. Security measures should be reviewed to ensure that if a breach happens the organisation becomes aware of it quickly.
I've said it before and I'll say it again, human error is one of the biggest risk areas in data security for organisations. This needs to be managed. There is no point in putting in place strong policies and procedures to reduce risk and manage breaches if your staff don't implement these controls in practice. Identify the risk, identify the best solution to mitigate the risk and that make sure your staff know about and adhere to that risk management solution. Consider how your organisation would audit and test that the solution is working and how it would demonstrate to the DPC that it is being applied on a day to day basis. Document everything! This should be a continuous improvement initiative.
If you need advice on data protection and GDPR compliance please contact a member of our Employment Law & Data Protection Team:
Disclaimer: This article is for guidance purposes only. It does not constitute legal or professional advice. No liability is accepted by Leman Solicitors for any action taken or not taken in reliance on the information set out in this publication. Professional or legal advice should be obtained before taking or refraining from any action as a result of the contents of this publication. Any and all information is subject to change.
Bank of Ireland made a notification to the Data Protection Commissioner last week after another accidental release of sensitive staff information, according to the Sunday Business Post. The paper reports that an Excel spreadsheet containing job evaluations for dozens of employees in the bank’s branch network was published in error and searchable by people outside the organisation. It follows a report in The Irish Times last week that around 100 staff were affected earlier this year when their pay and benefits were mistakenly circulated internally.