How to Respond to a Data Breach
How to respond to a data breach and stay compliant with GDPR
The UK General Data Protection Regulation (GDPR/UK GDPR) came into effect in early 2021 and, together with the Data Protection Act 2018, forms the mainstay of the UK's data protection regime. The GDPR sets out various principles relating to the processing of personal data, including the obligations of those who hold and process individuals' personal data (data controllers and processors) and the rights of those whose data is processed (data subjects). This article will set out the remedial action that should be taken by an organisation that has suffered a personal data breach in order to minimise the consequences of the breach, which can range from damage to reputation to fines of up to 4% of an undertaking's turnover.
When Must You Comply with the GDPR?
Any UK-based company or organisation that processes data in the UK must comply with the UK GDPR. The UK GDPR applies to the processing, whether automatic or manual, of personal data. Compliance with the principles of the GDPR is also required of organisations based outside of the UK, but whose processing activities monitor the behaviour of data subjects in the UK and relate to the provision of goods and services to data subjects in the UK. Monitoring the behaviour of data subjects in the UK might involve tracking internet users to analyse their personal preferences, meaning that any website using tracking cookies is subject to and must abide by the UK GDPR.
An organisation required to comply with the UK GDPR must be aware of the consequences of a data breach and should implement internal procedures with the primary aim of preventing such a breach, but which should also serve as a means by which prompt action can be taken following a breach to mitigate its effects.
A data controller is most typically an organisation or employer who may engage data processors to carry out a variety of functions. These usually include payrolling. A data processor simply processes personal data on behalf of the data controller. Both have various data protection obligations which they must carry out.
Simply put, personal data relates to the personal details of data subjects, and can include details about their education, employment, finances and health.
Under the UK GDPR, data processing is broadly defined as "any operation or set of operations which is performed on personal data or on sets of personal data". Both manual and automated processing trigger the application of the GDPR. Processing personal data can include recording, storing, altering, transmitting and disclosing data.
The GDPR places particular emphasis on special category data. This data includes any personal data concerning a data subject's political views, health information, race, ethnicity, trade union membership and sexual orientation. Data controllers and processors must have a lawful basis under the GDPR in order to possess and process special category data. Controllers and processors are expressly prohibited from processing special category data without the consent of the data subject or the satisfaction of certain grounds set out in the GDPR.
Data controllers must abide by the obligations imposed upon them by the UK GDPR and, importantly, must also be able to demonstrate compliance. These obligations include compliance with the GDPR principles, maintaining an internal record of processing activities and implementing safeguarding measures (i.e. data protection policies) to ensure that data is processed in line with the principles of the GDPR.
Data processors are also subject to particular duties and obligations and, together with data controllers, are jointly and severally liable for any data processing carried out during the course of their engagement. Data processors must also maintain and regularly update an internal record of processing activities and put in place security measures to prevent data breaches.
Consequences of Data Breaches
Data controllers and processors should bear in mind the consequences of a GDPR data breach. There are two possible courses of action that can be taken against a non-compliant organisation: legal action brought by affected data subjects and fines issued against the organisation by the Information Commissioner's Office (ICO).
The ICO is an independent body responsible for enforcing the UK's data protection laws. The ICO has significant investigative powers, acts as a supervisory authority and can also issue fines to organisations that breach, or fail to comply with, certain principles of the UK GDPR. In particular, any organisation that fails to uphold the rights of data subjects and to meet its own obligations under the GDPR (including processing data in line with the basic provisions of the GDPR) can be fined.
The fines can be particularly burdensome, with a maximum limit of whichever is the higher of £17,500,000 or 4% of the undertaking's annual turnover.
The breach of other principles of the GDPR, including maintaining an internal record and breach notification, carry their own fines, with a maximum limit of whichever is the higher of £8,700,000 or 2% of the undertaking's annual turnover.
Increasingly, affected data subjects have been bringing legal proceedings against a data controller and a data processor in the event of a breach that puts the data subjects' personal data at risk.
In July 2022, British Airways settled a lawsuit brought against it by several claimant-led law firms representing over 16,000 British Airways customers who had fallen victim to a data breach affecting British Airways in 2018. Approximately 430,000 customers discovered that their personal data had been compromised. The exact amount of the settlement was not disclosed, but the case brought against British Airways was the largest group action personal data action in UK history and should serve as an important warning to data controllers and processors.
British Airways was also fined £20 million by the ICO, whose investigation of the breach revealed that there was a serious failure on British Airways's part to implement appropriate security measures in line with the GDPR.
Handling Data Breaches: A Definitive Action Plan
A personal data breach occurs when a security breach results in the destruction, unauthorised disclosure, corruption or loss (whether accidental or wilful) of data subjects' personal data. Personal data breaches affect the confidentiality, integrity or availability of personal data, and do not have to involve the acquisition of the data by a third party. This means that the data does not have to be leaked to an unauthorised party in order for the breach to occur.
There are prudent preventative measures that an organisation can take to minimise the risk of a GDPR breach, but where breaches do occur despite the implementation of preventative measures, a remedial action plan should be followed.
Data controllers are obliged to report a data breach to the ICO without undue delay, and wherever possible, within 72 hours of having become aware of the breach. If notification is made after the 72-hour threshold, controllers must be able to justify the delay. Importantly, controllers only need to comply with this notification requirement where the breach in question is likely to result in a risk to data subjects.
Notification of the breach to the ICO should include details of the breach (e.g. how many data subjects are likely to be affected, whether the breach involves special category data etc.), the anticipated consequences of the breach and the measures taken by the company to mitigate those.
If the breach results in a particularly high risk to data subjects (e.g. where the breach runs the risk of identity fraud), the data controller must also inform the data subjects of the breach. Again, the notification must be made without undue delay. A 'high risk' means that the requirement to inform individuals is even higher than that required to notify the ICO of a breach.
Whether a data breach is likely to pose a risk (high or otherwise) to data subjects is a question of fact. For example, where a member of staff at a hospital leaves documents relating to the medical records of patients where they can be easily accessed by the public, there is a clear risk to the patients' personal data. In any case, the ICO will be able to compel the controller to inform affected data subjects of a breach where the ICO considers that the breach poses a high risk.
When notification is made to data subjects, this should be in clear language and should describe the breach and how it affects the data subjects. It should also provide the affected data subjects with a comprehensive description of the steps being taken by the controller to remedy and mitigate the breach. It would also be prudent to give the data subjects information and advice on some steps they should take to protect themselves, which may include simply advising them to monitor their accounts for signs of fraudulent behaviour.
The controller must also deploy a comprehensive response to the breach in addition to its notification obligations. This can include several steps whose implementation may vary by organisation, but whose aim should be to minimise the effects of the breach. For example, the controller could launch an investigation into the cause of the breach and implement measures to ensure the breach does not occur again. Where the controller has notified the affected data subjects of the breach, the controller could also offer these individuals protection from the fall-out (e.g. against identity theft).
Even where no notification to the ICO or to data subjects is required, organisations must not be complacent in ensuring that they comply with the other obligations imposed on them by the GDPR in the event of a breach. For example, an internal record of the breach, its effects and any action taken by the organisation to mitigate the consequences must be kept.
Data processors must also comply with certain obligations. Where a data processor is engaged by an organisation, details of any breach that comes to the attention of the processor must be disclosed to the controller as soon as possible. If there is a written agreement between the processor and the controller, this will normally set out any additional steps that the processor should take following a breach.
Preventing a Data Breach
Rather than be forced by the occurrence of a breach into taking appropriate measures to guard against future breaches, organisations should prioritise implementing internal measures to ensure that a breach does not occur at all. Such measures are usually preventative and investigative in nature. For example, preventative internal measures should aim to minimise the risk of human error resulting in a breach and can include mandatory data protection training, the circulation of internal data security policies, the implementation of risk assessment procedures and the restriction of access to particularly sensitive personal data records.
Prudent organisations will also often appoint a data protection officer (DPO) to supervise and coordinate the company's GDPR compliance strategy. As an expert on the principles of the GDPR, the DPO will be an important point of contact in the event of a breach and will usually set the tone of the company's response. The DPO's contact details should also be given to the ICO following a personal data breach notification.
Some organisations will also have internal protocols in place, usually set out in employment contracts and the company's constitution documents, that detail the company's internal response to a data breach.
The Bottom Line
As in many cases, prevention is better than cure. The various measures that an organisation can take to prevent the occurrence of a data breach and to comply with the UK GDPR are usually straightforward, practical and easy to implement. Where a breach does occur, organisations must ensure that their internal checklist of follow-up actions is robust and capable of producing an appropriate mitigatory response to a breach.