GDPR: Data Breaches

Napthens - October 27th 2017

Companies will readily be aware of the impending implementation date of the General Data Protection Regulations (GDPR), which is due to come into effect in May next year.

As a result businesses are understandably concerned about the possibility of breaches, what this means for them and what steps they need to take in the event that a breach arises.

To date there have been a number of monetary penalties against organisations who have failed to comply with the existing data protection legislation, and which would be potentially liable for the greater fines to be introduced under the GDPR. A brief summary is outlined below:

  1. Equifax:
    Last month it was reported in the news that up to 143,000,000 million Americans and 400,000 Britons have had their data stolen by hackers between mid May and July this year. Hackers penetrated the security surrounding Equifax's website over the course of approximately 2 months, obtaining various personal information relating to the financial position of individuals.  This is currently being investigated, but it is anticipated that the reputational damage and the fine imposed in relation to this could cause significant financial loss to Equifax, notwithstanding the management time and costs caused with dealing with the breach.
  2. Honda:
    The ICO recently concluded an investigation into Honda which revealed that the company had sent approximately 290,000 emails aiming to clarify certain customer preference choices for marketing purposes.  As Honda were unable to provide evidence that the individuals had ever given Honda informed consent to send them marketing emails, this was deemed to be a breach of the existing Privacy and Electronic Communication Regulation and thereby they were issued with a monetary penalty of approximately £13,000.
  3. Flybe:
    Following a recent investigation by the ICO it was determined that approximately 3.3 million emails had been sent by the airline operator to people who had previously told them that they did not want to receive marketing emails.  Ironically the emails that were being sent to individuals were asking customers to up date their marketing preferences and whether they still wished to remain within the marketing service.  As a result, Flybe were subsequently issued with a £70,000 monetary penalty notice.
  4. Construction Materials Online:
    Following a hack on their website, Construction Materials Online were issued a monetary penalty notice of £55,000 for failing to take adequate measures to protect the personal information of their customers using their e-commerce site. The company had simply left the operation of their website to the developers and not taken any active steps to ensure that it was secure.

With regards to minimising the exposure and trying to reduce the likelihood of one of the above breaches occurring within your business, there are a variety of steps which you may wish to consider undertaking.  These include, but are not limited to some of the following simple suggestions:

  1. Encryption of data: Encrypting data means that even if it is lost or copied, it cannot be accessed and therefore the data subjects are not at risk. This includes either internal documents, USB drives and mobile phones, laptops and other devices
  2. Wi-Fi networks: Having the ability to separate both public and private networks adds an additional layer of security from hackers and other unwanted visitors
  3. User restrictions: Ensuring that employees are only entitled to gain access to personal information that is of relevance to their role, as opposed to having an open site operation which allows them to flit between areas of a computer system which might not necessarily complement their current working practices
  4. Data processors: Ensure that when you outsource responsibilities to others (e.g. payroll providers) that you understand the process that they are taking and that they are taking steps to comply with your own internal policies and procedures, as well as both your and their GDPR obligations.  Ignorance is no defence
  5. The double opt in: In terms of marketing preference emails, getting subscribers to confirm their email address is always preferable than simply taking an email address from an unknown source
  6. Written policies and procedures: Ensure that staff are educated as to the correct processes which need to be undertaken and that the penalties that may ensue if they are not adhered to, as well as considering how you deal with leavers
  7. Subject Access Requests: Be prepared and comfortable with the process. It is likely that there will be an increase in the number of requests after May, so ensure your team are familiar with these requirements.

In terms of what the you must do in the event that there has been a significant breach, you must ensure that:

  1. Mandatory reporting breaches are made to the supervisory authorities.
  2. Where necessary and in order to minimise the risk and exposure to a data subject, report the breach to the ICO without undue delay and within 72 hours.  This is not working hours, which means that in the event of becoming aware of a breach on a Friday afternoon, the breach must be reported by no later than the same time the following Monday afternoon.
  3. You must document all breaches even if they are not notifiable, to demonstrate that you are adhering to your own internal processes and procedures.
  4. There will also be a change in the regulations to ensure that mandatory reporting of breaches to data subjects in certain circumstances will apply.

The GDPR builds upon the existing Data Protection Act, but with a key focus to ensure compliance and reduce risk, as opposed to simply following a “tick box” exercise. Therefore, specialist lawyers across our firm can help ensure your compliance with your data protection responsibilities in a number of key areas.  This includes a variety of options such as:

  • Guidance and assistance in information and data audits
  • Implementing new policies and procedures in order to comply with the recent requirements
  • Drafting and amending terms and conditions and contractual documents with both suppliers and customers
  • Advocacy notices
  • Advice and support during data issues
  • Training of data protection officers, senior managers and staff on specific GDPR obligations
  • Devising processes for handling data breaches
  • Management and litigation advice

For more information, please contact our GDPR specialists on 01772 888 444 or by email to