Data breaches can happen in the blink of an eye, and the Information Commissioner's Office (ICO) doesn't hesitate to levy penalties for breaches in data protection legislation.
Dealing with a data breach
- Make sense of the law
- Understand data protection
- Know the types of personal data
- Ensure you have the right to process data
- Data protection principles
- Identify the breach
- Security, integrity & confidentiality principles
- Report suspected breaches
- Include all necessary information in the report
Let's say you have a customer who claimed on an insurance policy. Your company approves the claim and sends the customer's details to a subsidiary. You get a query from the customer regarding a phone call from someone claiming to be a subsidiary of your company.
The customer reports that the caller didn't ask any security screening questions, which is suspicious. Upon investigation, you see no record of the phone call from the subsidiary in the customer's file. Could there be a data breach?
Before dealing with a data breach, it's important to understand the law and how to identify a breach. This understanding protects you from failing to report a suspected breach in future.
1. Make sense of the law
UK data protection law was largely governed by EU law for the first two decades of the millennium. However, after 31 December 2020, the EU GDPR no longer applied to the UK.
That said, the UK pulled almost all of the EU GDPR's requirements into UK law through the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019. This amended the Data Protection Act 2018 to create a UK-specific data protection scheme, the UK GDPR.
2. Understand data protection
Data protection covers how data is collected, used and stored by companies, the government, authorities and service providers to whom it is given or who collect it.
The main purpose associated with data protection is to establish a balance between the individual's right to privacy and the right to use (and potentially profit from) the data of those individuals.
The data protection concept is part of the duty a company owes to its customers and employees, a breach of which can seriously impact the company's reputation and the trust in and loyalty given to the company.
Data protection legislation generates specific obligations linked to processing personal data, providing harsh penalties for those found to be in breach of the law.
3. Know the types of personal data
Data is a broad term that refers to any items of information, such as facts or statistics, that are collected, stored or used. Data is not limited to electronic records – it may include paper records that form part of a filing system.
Data protection legislation focuses on processing personal data. Personal data is any information that relates to a living person whom that data can directly or indirectly identify.
Data protection legislation also emphasises two types of personal data – special category ('sensitive') data and data about criminal offences.
- Special category data is any data that may reveal something about an individual's racial or ethnic origin, political opinions, religious beliefs, membership in a trade union, physical or mental health, sex life or sexual orientation, genetics or biometric characteristics (where used for identification purposes).
- Data on criminal offences refer to the data of criminal offenders or individuals who are the subject of criminal allegations, investigations, and proceedings.
Processing these types of personal data is subject to additional conditions.
4. Ensure you have the right to process data
'Processing data' includes any action performed on or affecting personal data, whether or not by automated means. This could include collection, classification, storage, alteration, disclosure, dissemination or destruction.
You must have at least one valid lawful basis to process personal data. Processing personal data without a lawful basis amounts to a data protection breach.
The six lawful bases are:
- Consent – an individual has provided clear and affirmative consent to the processing.
- Contract – the processing is necessary for a contractual relationship.
- Legal obligation – processing is necessary to comply with the law.
- Vital interests – processing is necessary to protect someone's life.
- Public task – processing is done in the public interest or as part of official functions.
- Legitimate interests – processing is needed to protect the legitimate interests of the processor or a third party unless the need to protect the individual's privacy overrides this need.
Note that the data source is irrelevant. For example, it does not matter if you find the data in a public domain such as a website or if the data subject volunteered it; you still need to have a lawful basis for processing the data.
A lawful basis for processing data does not give you carte blanche to process data. Rather, processing personal data is also subject to several principles.
5. Data protection principles
The UK GDPR seems to work in sets of six. There are six principles a data processor must comply with when collecting, storing and using personal data. Here they are:
- Processing must have a lawful basis and be fair and transparent.
- Processing must be limited to an explicitly stated and legitimate purpose.
- The amount of personal data processed must be restricted to the minimum needed to achieve the stated purpose.
- Personal data subject to processing should always be accurate and kept up to date.
- Personal data must not be kept longer than necessary to achieve the stated purpose of processing; after the storage limit has expired, it must be disposed of securely.
- Personal data must be processed to ensure appropriate security and protection against unauthorised or unlawful processing and accidental loss, destruction or damage.
Failure to adhere to any of these principles amounts to a breach of the legislation.
6. Identify the breach
The easiest way to manage data breaches in your company is to have a data breach register. Compliance registers are an essential aspect of compliance and ensure nothing slips through the cracks.
Managing your registers in one place enables you to track and approve entries in a timely and consistent manner. This is important when it comes to identifying data breaches and, essentially, avoiding penalties.
Let's go back to our scenario to consider whether a breach occurred. A breach is any point where you are not following the law. This could be because you did not have a lawful basis to process the data, or, as noted above, it could result from a failure to adhere to one or more data protection principles properly.
In the scenario, as an insurer, you process a great deal of personal data on the customer, some of which could be classified as a special category and criminal offence data. Of course, you process this data using one or more lawful basis, including consent, legal obligation and contractual needs.
Therefore, it is unlikely that you have committed a breach for want of a lawful basis of processing. So, the main question you need to ask is whether a breach is caused by violating one of the underlying data protection principles.
7. Security, integrity & confidentiality principles
Personal data must be processed to ensure appropriate security and protection against unauthorised or unlawful processing and accidental loss, destruction or damage.
To comply with this principle, you must implement and maintain appropriate technical or organisational measures, including systems and controls, to prevent personal (and sensitive) data from being accidentally or deliberately corrupted, viewed, lost or stolen.
Suppose the customer's story in the scenario is true. In that case, it implies that either another department of your firm contacted the customer in error or there's been an information security breach.
If a different department made the call, the fact that they did not add the details of the phone call to the customer's file could imply they identified their error and chosen not to highlight it.
This action potentially breaches the purpose limitation principle along the way. Either way, you have acknowledged a potential information security breach. What should you do?
8. Report suspected breaches
Never ignore a suspicion! The data protection legislation establishes a duty on your company to report certain personal data breaches to the ICO. Where feasible, you need to do this within 72 hours of becoming aware of the breach.
Furthermore, if the breach is likely to result in a high risk of adversely affecting individuals' rights and freedoms, the company must also inform those individuals without undue delay.
For these purposes, you must report any knowledge or suspicion of an information security breach without delay so that the company can satisfy this duty if required. Even if it is deemed that there is no obligation to report the matter to the ICO, there is still a duty to keep a record of any personal data breaches.
If you don't know to whom you need to report this information, discuss it with your manager. It is likely that the report should be made directly to the company's data protection officer (DPO) or compliance team. They will have to investigate whether the breach resulted from human error or a systemic issue and see how a recurrence could be prevented.
9. Include all necessary information in the report
The DPO may also have to conduct a new or amend an existing data protection impact assessment (DPIA). This tool is designed to help a company analyse their data processing, identify and minimise data protection risks upfront and help the company be more proactive and aware of data protection issues.
As noted by the ICO, when reporting a breach, the company must include the following information:
- a description of the nature of the personal data breach including, where possible, the categories and approximate number of individuals concerned and the personal data records concerned;
- name and contact details of the DPO (if your organisation has one) or another contact point where authorities can obtain more information;
- a description of the likely consequences of the personal data breach;
- a description of the measures taken or proposed to be taken to deal with the personal data breach;
- a description of the measures taken to mitigate any possible adverse effects, where appropriate.
So, when you report to the DPO, you should include as much information as possible to assess the relevant risks. And then, you can rest assured that this particular issue is in the hands of a data protection expert.
Always report potential breaches, whether or not they result from your actions. The longer you wait to report, the less time your company has to deal with the issue. This delay could inadvertently result in further breaches and, potentially, an exponential increase in liability.
It is your responsibility to understand the compliance requirements established by the data protection legislation – ignorance of the law is never a valid defence.
Want to learn more about GDPR?
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.