If you collect information about individuals for any purpose other than your own personal reasons you must comply with data protection laws. In the UK you must comply with the Data Protection Act 2018 and the UK GDPR. Most businesses are subject in some way to the data protection regime. We help clients comply with these rules through carefully planned data protection audits and assessments as well as ongoing advice and guidance.
When things go wrong, for example, there’s a data breach or you receive a complaint from a client or consumer, it’s crucial to get on top of matters quickly. Data breaches can be managed effectively, but failure to take appropriate action can irreparably harm your commercial reputation. There are many concerns and questions around data protection and GDPR. Here we discuss some of the main issues for clients around data breaches and incident management.
Note that the Data Protection Act, 2018 (the DPA) is the legislation that implements GDPR into UK law. Since Brexit, the GDPR has been retained in UK law, referred to as the UK GDPR. For ease of reference throughout this article we use the term ‘data protection laws’ when referring to both the DPA and UK GDPR.
- How do you know if your business has breached the data protection laws?
- What constitutes a breach of the data protection laws?
- How to report a GDPR data breach yourself
- Actions to take if a client or consumer reports a data breach
- Notifying the subjects affected by a data breach
- Offering compensation or settlements for a data breach
- Should you send an apology letter about the data breach?
- Dealing with group actions for data breaches
- Dealing with complaints to the ICO about your data protection policies
How do you know if your business has breached the data protection laws?
Your business is likely to become aware of a data breach in one of two ways:
- Someone in the business becomes aware of the breach; or
- A breach is reported to the Information Commissioner’s Office (the ICO) by a third party such as a consumer or client
The data protection laws require businesses to have all suitable controls in place to detect personal breaches. So, the onus is on you, as a controller, to adequately monitor the processing of information within your organisation to spot data breaches when they occur and take the appropriate action.
What constitutes a breach of the data protection laws?
Under Article 4 of the GDPR a breach of personal data is about more than losing data. The ICO describes a personal data breach as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed.
This definition has been widely drawn. Following the introduction of the EU GDPR in 2018 the ICO indicated that there was an over-reporting of possible data breaches. It was estimated that a third of reports of GDPR breaches were made in error. The unnecessary reports represented breaches that did not meet the bar set for what constitutes a breach of the GDPR rules. This was probably down to businesses being over cautious in the period immediately after GDPR became law. But over reporting represents a waste of valuable time and resources so it’s important that you understand what constitutes a breach of the data protection rules. It also questions whether the reporter has the necessary skill and knowledge to be able to recognise a breach that requires reporting.
Not every data breach needs to be reported. Some breaches won’t present any kind of threat to individuals and in general should not be reported, but logged internally. For a breach to amount to one that requires ICO involvement there must be a risk of physical, material or non-material damage to individuals. Damage may include identity theft, financial loss, damage to reputation or an individual’s loss of control over their personal data.
Businesses need to make the decision on whether to report a breach on a case-by-case basis. There is a useful self-assessment tool on the ICO website that helps businesses decide whether to report a breach or not. If, after due consideration, you decide not to report the breach you must keep a written record of your justification for not doing so. Such breaches also make useful training exercises so a similar breach doesn’t occur again.
How to report a GDPR data breach yourself
The rule of thumb is that you should report a breach without delay but no later than 72 hours after you have become aware of it. The exception is where the breach is unlikely to result in a risk to the rights and freedoms of individuals. A risk assessment can help you determine whether a breach needs to be reported to the ICO. When contacting the ICO you should set out:
- The nature of the breach
- The number of individuals affected
- An estimation of the possible consequences of the breach
- A description of the measures you are going to take to deal with the breach
Understandably not all this information will be available within the 72-hour window. But the ICO expects you to investigate the matter urgently and explain why you don’t have the information to hand.
The European Data Protection Board has endorsed the WP 29 Guidelines on Personal Data Breach Notification. Despite the UK leaving the EU, the ICO states that this guidance is relevant.
Actions to take if a client or consumer reports a data breach
If a consumer complains that there’s been a data breach you should attempt to:
- Resolve the matter informally
- Take remedial action to prevent the breach occurring again
- Mitigate any damage caused and make a record of the steps you have taken
- You should also assess whether the alleged breach is one that should be reported to the ICO (see previous section)
If you report the breach the ICO will require certain information and investigate in the usual way. If you decide not to report the alleged breach the complainant may still contact the ICO and it will be up to the ICO whether to pursue the matter.
Notifying the subjects affected by a data breach
When you become aware of a data breach you should assess whether the breach represents a ‘high risk’ to the rights and freedoms of individuals. Note that this is a higher test than for notifying the ICO of a breach – when there only has to be a ‘risk’ to rights and freedoms. (See ‘How to report a GDPR data breach yourself’ above). If you decide there is a high risk you must notify individuals as soon as possible. An example of a high-risk breach would be a healthcare provider accidentally publicising patient medical records.
When informing individuals of a data breach, you should describe the breach, its likely impact and the steps you are taking to rectify it.
If you don’t notify individuals of a breach (because you believe it doesn’t pose a high risk to rights and freedoms) you must still record the reasons for that decision.
Offering compensation or settlements for a data breach
Individuals can claim damages for financial loss and distress caused by a data breach. In many cases, from a reputational and financial perspective it will be sensible to offer compensation to individuals affected by a data breach within your organisation. If you need advice on settling a claim or you are facing a claim for damages from an individual affected by a data breach our team of data protection lawyers can provide practical and cost-effective advice.
Should you send an apology letter about the data breach?
An apology letter following a data breach will be appropriate in some circumstances. It shows that you recognise the seriousness of the breach and, by outlining the steps you have taken to prevent a similar breach re occurring, the apology can help restore trust in your organisation among your clients and consumers.
However, you should seek legal advice before sending any apology and ensure that it is drafted in a way that will not expose you to any further liability or unexpected future legal action.
Dealing with group actions for data breaches
Until 2015 group actions for breaches of data protection laws were practically unheard of. That’s all changed. Recent high-profile data breaches involving companies like Google, Morrisons (supermarket chain in the UK) and Equifax in the US involved thousands of consumers. And the subsequent court actions against these companies by groups of people affected have increased the public’s awareness of its rights under GDPR. So the possibility of a group action following a data breach must always be considered. Even if the loss to an individual is minimal if there are hundreds or more affected data subjects then the potential cost to a business in terms of paying out damages could be huge.
The legislation specifically allows individuals to claim compensation for monetary loss and distress resulting from a breach of personal data. Significantly, in 2019 the Court of Appeal appeared to sanction claims for loss of data control even where there has been no monetary loss or distress.
The case, Lloyd v Google is a representative action on behalf of 4 million iPhone users whose data was allegedly compromised by the Safari workaround in 2012. While the decision may well be appealed to the Supreme Court, for now claimants in group actions have certainly been given an incentive to pursue actions for loss of data and other data breaches.
We have produced a comprehensive guide to GDPR compliance for business.
Our teams of data protection lawyers can help you ensure that you have the correct procedures in place to avoid significant data breaches, and provide guidance on the approach to take when a data breach does occur. With an experienced team of litigators, we are equipped to defend you in all data protection-related claims, including group and representative actions.
Dealing with complaints to the ICO about your data protection policies
As we’ve discussed, an individual that believes their data has been breached by your organisation can complain to the ICO. But what if someone, an employee for example, has concerns about the way your organisation handles data generally or believes your GDPR policies are inadequate?
Individuals with such concerns can also disclose them to the ICO. And in doing so they are likely to be protected by the whistleblowing provisions of employment law.
The ICO will investigate whistle-blower complaints and has a range of regulatory action at its disposal if it believes the situation warrants intervention. They may simply make recommendations for you to change policies or in more serious cases take formal enforcement action that could result in a significant financial penalty. If you are concerned about regulatory intervention by the ICO you can contact our data protection solicitors for advice.