March 3rd, 2016
In December 2015 a significant milestone was reached. A trilogue within the European Union agreed new legislation to replace the Data Protection Act and harmonise the patchwork of data protection legislation across all 28 member states.
For those who read the above as gibberish, here’s the plain English on this important piece of news.
Here’s the slightly longer briefing.
The UK’s Data Protection Act (DPA) was brought in to law in 1998. At the time we didn’t have Internet-based giants like Facebook, Apple, Amazon or Google. We simply couldn’t see just how enormously the Internet would change the world.
Since 1998 we’ve had the invention and proliferation of the smart phone, tablet and Cloud based computing, and more advancements besides. These devices and services solve one simple task: they make it easier to access, process, transmit and store data.
Whilst the world has continued to turn, the legislation protecting the data concerning “us” as individuals, e.g. our “personal information” has not kept pace. In fact, the two have been out of sync for quite some time. (Do you genuinely believe a £500,000 penalty is really a worry for the likes of Amazon?)
The “personal information” to which I refer is anything that can define or identify YOU as a person. It is your name, your email address, your telephone number. It could be an account number and your home address. It is your medical records and financial records.
DID YOU KNOW? Your medical records are worth 10x more than your credit card details on the black market as this data is used to create fake IDs and make fictitious insurance claims and obtain prescription drugs for resale. Credit cards can be easily cancelled. The key facts of your life cannot.
It is the snippets of personal information that, in the age of technology everywhere, is your life. This information is now the very cornerstone of our existence. If you’re not on a computer system, do you really exist?
Any data that can be put together to pinpoint a specific individual is legally defined as “personal information”. According to the law of the land, it should be handled in line with data protection legislation, else there can (and will) be consequences.
Loss of this data to unauthorised parties can be devastating for the affected individuals. Such an incident is called a “data breach”. When you hear about a company suffering a “data breach” in the news, it means a number of private individuals are about to potentially have a much more difficult life. Their personal data is now exposed and can’t be clawed back.
Data breaches can happen in many ways. Disgruntled employees can steal data, hackers can compromise your system, a smart phone may be accidentally lost, or an email could be send to the wrong person. Accidents happen, but again, regardless of the cause, the incident will have far-reaching consequences.
So what are the repercussions for you, the affected individual? Your money can be taken. Your credit score can be adversely affected. Your property can be stolen. Your identity can be stolen. You can be framed for things you didn’t do. The list is extensive.
If we scale up the number of affect people to hundreds of thousands, you can begin to see the potential repercussions on a wider economy.
With the fallout being so dangerous it makes sense to have strong legislation to police businesses and ensure personal information is stored securely and processed fairly.
The incoming General Data Protection Regulations (“GDPR”) are designed to play catch up on the last 20 years of technological development.
As ever, here comes the catch.
The requirements and penalties on a business are to become punishingly tough. In the event of a data breach, the risk of loss is being moved from the private individual (whom has no control over how their details are being used) to the businesses that store or manipulate their details.
So, what does this mean for you?
If you are a Director or Manager of a business, the information below is very important.
We have now entered in a 2-year transition window before GDPR comes in to force. Over the next 2 years you will hear much on this topic from your accountant, insurance broker, and quite possibly your solicitors.
At a high level the new penalties and requirements are quite simple. Implementing internal governance controls for compliance may, however, prove trickier.
In essence, “cyber” is being brought in line with Health & Safety.
Under the DPA the maximum penalty was £500,000. Under GDPR, for small businesses with under 250 employees, the penalty will be up to €1,000,000 per incident. For larger firms, the penalty will be up to 4% of Global Annual Turnover, per incident.
Mandatory Breach Notification:
Currently only a handful of sectors (Financial Services and the Public Sector, notably) have a mandated requirement to notify the ICO (the “Information Commissioner’s Office”) in the event of a data breach. Under GDPR, any business that suffers a data breach will have to notify the ICO within 72 hours of discovering the incident. Failure to notify within this time frame is expected to adversely influence any penalty awarded against you (e.g. it will be higher).
Processing Notification Fee:
Under the DPA, smaller businesses have historically had to pay £35 per year (larger firms, £500) to the ICO to notify them that their business was processing personal information. This fee will be scrapped under GDPR, raising questions over how the ICO will fund its operations. The general belief is through greater enforcement activity. It is likely the ICO is about to find its teeth and will have to start to hunt for its food.
Data Protection Impact Assessment (“DPIA”):
There will also be the requirement to undertake “Data Protection Impact Assessments”, perhaps more easily likened to Health & Safety Risk Assessments. These reports will be necessary to steer your thinking in whether a data processing activity should be undertaken, and the security to be applied to the task if it is. Businesses will be required to notify the ICO every time they produce a ‘DPIA’ that indicates a high risk. Failure to do so, if discovered, will likely result in the potential for more or greater penalties.
Data Protection Officer:
The current belief is that all larger companies, and any firm that processes more than 5,000 personal records, will be required to retain a “Data Protection Officer”, the equivalent to a Health & Safety Officer. This individual will be required to undertake the Data Protection Impact Assessments and ensure compliance to GDPR.
If this wasn’t bad enough…
Breaching data protection legislation is just one aspect of cyber risk facing businesses in 2016. Other risks include reputation damage (misuse of social media), business interruption (through downtime of Cloud services) or even loss of monies through extortion (malware such as CryptoLocker), among many others.
The good news is the extent of the “cyber risk” minefield can be defined. The bad news is that the issue is often only perceived as addressable through expensive consultancy. This is not the case.
Understanding your firm’s exposure to cyber risk needn’t be expensive or time consuming.
Aaron Yates, CEO, Berea Associates Ltd
* This content is provided for educational purposes only. No part of the article is to interpreted or construed as legal advice.