Dealing With Data Breaches
A slow response to a data breach can mean even bigger problems for a company.
If your business has suffered a data breach, the solicitors at DPP GDPR it can provide valuable legal advice. Contact us today on 0333 200 5859
The General Data Protection Regulation (GDPR) is a set of laws surrounding the processing of personal data that came into effect in May 2018. GDPR is a European invention but is regulated in the UK by the ICO (Information Commissioner’s Office).
Under GDPR, all personal information processed by companies must:
- Be collected with the subject’s explicit consent
- Not be collected if the purpose of the processing is not clearly explained
- Be held securely in a location that is only accessible to authorised parties
- Only be used for the purposes originally explained to the data subjects
- Only be retained for as long as it is required for those purposes
- Not be shared or transferred in a way that is lawful or insecure
- Be made accessible to the data subject by way of a Data Subject Access Request within 40 days
- Only be processed by an appointed data processor
Failing to comply with these requirements may result in data breaches. They will also render your company liable for investigation or prosecution by a supervisory authority such as the ICO.
Contact DPP GDPR’s data protection breach solicitors by calling us on 0333 200 5859. for assistance handling data breaches.
Different types of data breaches
Public bodies may face penalties if they are found guilty of the following actions:
- Losing data accidentally
- Using data in a manner for which it was not collected, without consent
- Committing data theft
- Failing to secure data correctly, resulting in data theft
- Sharing data with the wrong organisation or individual, or sending it to the wrong location
- Sharing documents or information without anonymising or redacting any sensitive data they contain
- Accessing data without permission
- Data hacking
- Disclosing data deliberately with malicious intent
If you suspect that any of the above actions have been committed during your company’s processing of data, you must inform the ICO within 72 hours.
How our GDPR data breach solicitors can help you
As well as helping you to develop strong policies and processes that will protect you from data breaches, we can:
- Help you to rectify a breach and take steps to make your business secure after the event
- Assist in your analysis of the breach
- Help you to work out which of your systems might still be vulnerable
- Suggest ways in which you might prevent future problems
- Advise you on the best way to notify the affected data subjects, businesses and the ICO without undue delay
- Help you to communicate information about the breach to other public bodies and authorities such as the police or media
- Provide assistance throughout any ICO investigation
- Defend you in court if any of the data subjects decide to make data protection claims, or if you are prosecuted by the ICO
Along with the above, our data breach solicitors can advise you on:
- General contract law
- GDPR compliance
- Technology Law
- GDPR Audits
- Data Protection Law
Types of data that can be breached
Any information that can be used independently or as a group to identify an individual counts as personal data and can be breached.
This includes:
- Contact details (particularly telephone numbers, email addresses and home addresses)
- Medical or criminal records
- Genetic or biometric information
- Other identity-related information – from racial background, marital status, religion and political views
- Information about services used by the data subject, or restrictions that have been placed upon them relating to services
- Information relating to National Insurance or taxation
- Details of any ongoing court cases or investigations of which the data subject is a part
Unlawfully disclosing private corporate information also constitutes a breach of data protection. This may include:
- Disclosing details of private intellectual property
- Sharing trade secrets
Compensation and legal remedies
Data subjects affected by data breaches may claim material damages if the breach has resulted in financial loss. They may also claim non-material damages for any distress caused.
Following a data breach, your company may face:
- Inspections and audits
- Sanctions
- Bans and restrictions on the processing and sharing of data with third parties or across jurisdictions
- Orders to make changes or improvements
- Prosecution
- Penalties
The highest penalty for a minor data breach equates to 2% of your company’s annual revenue or €10 million (whichever is higher).
For a serious breach, you may face a fine of up to 4% of your revenue or €20 million.
Compliance Support
There is a variety of support you can call upon to ensure you meet the required standards to prevent a data breach or to improve your security after one.
For a start, the ICO provides a helpful auditing service. This approach sees their representatives investigate your procedures and suggest changes. The audit is usually followed by a second check-up after around six months.
Smaller companies may benefit from advisory visits from the ICO in place of audits. This is a less in-depth method where general advice is given regarding their GDPR compliance.
It’s also a very good idea to seek legal advice. Specialist GDPR solicitors can spend time looking through all of your processes and can also help you to make necessary changes.
Remember: for a year after your ICO audit, a simplified version of the results will be visible on the body’s website. For this reason, it may be best to consult legal experts before applying for this type of help.
Frequently asked questions about data protection breaches
How soon do companies have to inform the ICO of a security breach?
You must get in touch with the ICO within 72 hours of a breach.
What information must you give to the ICO following a security breach?
Following a breach, you must tell the ICO:
- What type of breach has occurred
- The kind of data that has been compromised
- How many people may have been affected
- How many sets of records were involved
- The categories into which the data falls
- Details of your company’s data protection officer or any other person tasked with handling data, including:
- – Name
- – Contact information
- The possible consequences of the breach
What you have done and what you will do to deal with the breach and any resulting fallout
What is the maximum fine for a breach of UK data protection?
The largest fine possible for a minor breach is the larger of either 2% of your company’s revenue or €10 million.
If the breach was significant, you may be charged up to 4% of your revenue or €20 million.
For help preventing data breaches or handling the aftermath, DPP GDPR on 0333 200 5859.