Data breach solicitors
Data breaches are unfortunately a fact of life and can be a stressful experience to navigate.
The UK GDPR requires organisations to ensure they have robust breach detection, investigation and internal reporting procedures in place. Organisations are under an obligation to act promptly and mitigate the risks of any breach and, depending on the risks, may have reporting obligations to the ICO, the data subjects, or both.
It is crucial that businesses understand and comply with their obligations.
Understanding Data Breaches
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Often, the term ‘data breach’ will prompt images of an unauthorised third party hacking into a company’s computer system and stealing personal data. This is due, in part, to the fact that these are the types of breaches that hit the headlines. Whilst this is indeed a personal data breach, the definition above is much broader and could even cover an unauthorised employee altering personal data.
In practice, for most organisations, the most common personal data breaches involve personal data being sent to the wrong email recipient or sending emails to multiple recipients without using the ‘BCC’ function.
Personal data breaches can have a devastating impact on both businesses and data subjects. For businesses, it can impact their operations and lead to financial loss (such as a fine from the ICO, compensation to individuals, and the cost of remedying any breach), reputational damage and legal claims. For individuals, the breach could cause them to lose control of their personal data and could result in identity theft, emotional distress and financial loss.
Why You Need a Data Protection Breach Solicitor
Our team here have extensive experience in data protection law and advising businesses of all sizes and resources on their data protection obligations, including data breach management. We can help you navigate the legal process and take steps to better protect your business and mitigate your risks
Our Data Breach Solicitors Services
We can advise you on all aspects of data breach management including:
- UK GDPR provisions and obligations relating to data breaches including timeframes for breach notification and potential penalties
- Internal data breach reporting procedures
- Policy documentation
- Data breaches and mitigating the risks following a breach
- Risk assessments
- Reports to the ICO and data subjects
- Investigations by the ICO
- Preventative measures including providing tailored training for employees and senior management
Preventing Future Data Breaches
It’s crucial that lessons are learnt from data breaches and that businesses take the time to review and consider their practices and processes.
Steps that could be taken include:
- Providing training to help identify data breaches, promote best practice and set out procedures to be followed, including breach reporting;
- Having clear policies and procedures in place (and points of contact) to assist in the event of a data breach;
- Having support mechanisms in place, especially for new starters;
- Encouraging double checking;
- Encouraging data breach reporting; and
- Implementing greater security controls
Contact Our Expert Data Breach Solicitors
If you need any assistance with data breaches or data protection in general please do get in contact with our data protection team.
“Very professional, knowledgeable and accessible lawyers.”
Chambers and Partners
FAQs – Data breaches
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
It is a wide definition and covers more than just deliberate data breaches.
Data breaches cover a wide range of incidents. Some common examples include:
- Sending personal data to the wrong email recipient
- Sending emails to multiple recipients without using the ‘BCC’ function
- Proving personal data following a phishing scam
- Hacking of passwords, email accounts, networks and systems
- Accessing personal data on lost laptops or mobile devices
- Altering personal data without permission
- Theft or loss of hard copy documents (such as print outs)
Not all breaches need to be reported. If the breach is likely to result in a risk to individuals’ rights and freedoms it must be notified to the ICO. If there is a ‘high risk’ to the individuals’ rights and freedoms, then it will also need to be notified to the individuals whose personal data is affected.
Therefore, on becoming aware of a personal data breach, organisations need to take steps to contain the breach and assess the risks so a decision can be made on whether it needs to be reported to the ICO, individuals, or both.
Even if there is no obligation to report the breach, organisations must keep a record internally of all breaches that occur.
If a breach is notifiable to the ICO, it needs to be reported without undue delay and in any event within 72 hours of becoming aware of the breach.
Organisations must provide the following when reporting a breach to the ICO:
- a description of the nature of the personal data breach including, where possible the categories and approximate number of individuals and personal data records concerned;
- the name and contact details of the data protection officer (if there is one) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.
Failing to notify a breach when required to do so can result in a fine of up to £8.7 million or 2% of annual global turnover, whichever is higher.
However, the penalties for not complying with the data protection principles in the UK GDPR, including the requirement that you have appropriate security measures in place to protect personal data, can attract higher fines of up to £17.5 million or 4% of the annual global turnover.
The ICO also has other enforcement powers such as the power to issue enforcement notices and conduct audits.