Tag: security

Cyber Security Breaches Survey 2022: What DPOs need to know

Cyber security breaches are on the rise. Virtually every day there is a news story about a high profile organisation being hacked and personal data being lost or stolen. Last week the BBC reported that thousands, if not millions, of people could have lost money in the second largest crypto hack in history. Ronin Network, a key platform powering the popular mobile game Axie Infinity, has had $615m (£467m) stolen. More recently UK retailer, The Works has been forced to shut shops temporarily and suspend new stock deliveries after a cyber-attack.

And it’s not just the private sector. In January we learnt that Gloucester City Council’s website was hacked affecting online revenue and benefits, planning and customer services. The work of Russian hackers(allegedly) could take up to six months to resolve and affected servers and systems may need to be rebuilt.

Data Protection Officers need to be aware of the latest incidents and advice when it comes to cyber security breaches. The recently published DCMS Cyber Security Breaches Survey is important reading for all DPOs. It explores the policies, processes, and approaches to cyber security for businesses, charities, and educational institutions. It also considers the different forms of cyber-attack these organisations face, as well as how they are impacted and their response.

Cyber Attacks

The survey results show that in the last 12 months, 39% of UK businesses identified a cyber-attack. Of these, the most common threat vector was phishing attempts (83%). Of the 39%, around one in five (21%) identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack. Despite its low prevalence, organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms. Note recently the GDPR fine issued to a firm of solicitors who suffered such an attack. Interestingly they too chose not to pay the hackers. 

Frequency and Impact

Within the group of organisations reporting cyber-attacks, 31% of businesses and 26% of charities estimate they were attacked at least once a week. One in five businesses (20%) and charities (19%) say they experienced a negative outcome as a direct consequence of a cyber-attack, while one third of businesses (35%) and almost four in ten charities (38%) experienced at least one negative impact. It is interesting that the survey focussed on charities too. July 2021 saw the first GDPR fine to a charity. The transgender charity Mermaids was fined £25,000 after the ICO found that it had failed to implement an appropriate level of security to its internal email systems, which resulted in documents or emails containing personal data being searchable and viewable online by third parties through internet search engine results.

Cost of Attacks

The survey found the average estimated cost of all cyber attacks in the last 12 months was £4,200. Considering only medium and large businesses; the figure rises to £19,400. Of course such incidents also mean a loss of reputation and customer trust. In October 2020, the ICO fined British Airways £20million for a cyber security breach which saw the personal and financial details of more than 400,000 customers being accessed by hackers. British Airways also had to settle legal claims for compensation from affected customers. 

Cyber Hygiene

The government guidance ‘10 Steps to Cyber Security’ breaks down the task of protecting an organisation into 10 key components. The survey finds 49% of businesses and 40% of charities have acted in at least five of these 10 areas. In particular, access management surveyed most favourably, while supply chain security was the least favourable.

Board Engagement

Around four in five (82%) of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority, an increase on 77% in 2021. 72% in charities rate cyber security as a ‘very high’ or ‘fairly high’ priority. Additionally, 50% of businesses and 42% of charities say they update the board on cyber security matters at least quarterly. Our new webinar “GDPR and the Charity Sector Webinar” is ideal for raising awareness amongst charity trustees.

Size Differential

Larger organisations are correlated throughout the survey with enhanced cyber security, likely as a consequence of increased funding and expertise. For large businesses’ cyber security; 80% update the board at least quarterly, 63% conducted a risk assessment, and 61% carried out staff training; compared with 50%, 33% and 17% respectively for all businesses. Our GDPR Essentials e learning course contains a specific module on keeping data safe which warns of the most common cyber hacking/phishing tactics.  

Risk Management

Just over half of businesses surveyed (54%) have acted in the past 12 months to identify cyber security risks, including a range of actions, where security monitoring tools (35%) were the most common. Qualitative interviews however found that limited board understanding meant the risk was often passed on to; outsourced cyber providers, insurance companies, or an internal cyber colleague.

Outsourcing and Supply Chain

Small, medium, and large businesses outsource their IT and cyber security to an external supplier 58%, 55%, and 60% of the time respectively, with organisations citing access to greater expertise, resources, and standard for cyber security. Consequently, only 13% of businesses assessed the risks posed by their immediate suppliers, with organisations saying that cyber security was not an important factor in the procurement process.

Incident Management

Incident management policy is limited with only 19% of businesses having a formal incident response plan, while 39% have assigned roles should an incident occur. In contrast, businesses show a clear reactive approach when breaches occur, with 84% of businesses saying they would inform the board, while 73% would make an assessment of the attack.

External engagement

Outside of working with external cyber security providers, organisations most keenly engage with insurers, where 43% of businesses have an insurance policy that cover cyber risks. On the other hand, only 6% of businesses have the Cyber Essentials certification and 1% have Cyber Essentials plus, which is largely due to relatively low awareness. The importance of this was highlighted in the recent GDPR fine issued to Tuckers solicitors.

The DCMS Cyber Security Breaches Survey is important reading for all Data Protection Officers and IT staff. Aligning with the National Cyber Strategy, it is used to inform government policy on cyber security. It should also be used to stay abreast of cyber security developments and formulate your own organisation’s cyber security strategy.  

Our Managing Personal Data Breaches workshop will examine the law and best practice in this area, drawing on real-life case studies, to identify how organisations can position themselves to deal appropriately with data security incidents and data breaches, in order to minimise the impact on customers and service users and mitigate reputational damage.

Law Firm Fined For GDPR Breach: What Went Wrong? 

On 10th March the Information Commissioner’s Office (ICO) announced that it had fined Tuckers Solicitors LLP £98,000 for a breach of GDPR.

The fine follows a ransomware attack on the firm’s IT systems in August 2020. The attacker had encrypted 972,191 files, of which 24,712 related to court bundles.  60 of those were exfiltrated by the attacker and released on the dark web.  Some of the files included Special Category Data. Clearly this was a personal data breach, not just for the fact that data was released on the dark web, but because of the unavailability of personal data (though encryption by the attacker) which is also cover by the definition in Article 4 GDPR. Tuckers reported the breach to the ICO as well as affected individuals through various means including social media

The ICO found that between 25th May 2018 (the date the GDPR came into force) and 25th August 2020 (the date on which the Tuckers reported the personal data breach), Tuckers had contravened Article 5(1)(f) of the GDPR (the sixth Data Protection Principle, Security) as it failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The ICO found its starting point for calculating the breach to be 3.25 per cent of Tuckers’ turnover for 30 June 2020. It could have been worse; the maximum for a breach of the Data Protection Principles is 4% of gross annual turnover.

In reaching its conclusions, the Commissioner gave consideration to Article 32 GDPR, which requires a Data Controller, when implementing appropriate security measures, to consider:

 “…the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”.

What does “state of the art” mean? In this case the ICO considered, in the context of “state of the art”, relevant industry standards of good practice including the ISO27000 series, the National Institutes of Standards and Technology (“NIST”), the various guidance from the ICO itself, the National Cyber Security Centre (“NCSC”), the Solicitors Regulatory
Authority, Lexcel and NCSC Cyber Essentials.

The ICO concluded that there are a number of areas in which Tuckers had failed to comply with, and to demonstrate that it complied, with the Security Principle. Their technical and organisational measures were, over the relevant period, inadequate in the following respects:

Lack of Multi-Factor Authentication (“MFA”)

MFA is an authentication method that requires the user to provide two or more verification factors to gain access to an online resource. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber-attack e.g. a code from a fob or text message. Tuckers had not used MFA on its remote access solution despite its own GDPR policy requiring it to be used where available. 

Patch Management 

Tuckers told the ICO that part of the reason for the attack was the late application of a software patch to fix a vulnerability. In January 2020 this patch was rated as “critical” by the NCSC and others. However Tuckers only installed it 4 months later. 

Failure to Encrypt Personal data

The personal data stored on the archive server, that was subject to this attack, had not been encrypted. The ICO accepted that encryption may not have prevented the ransomware attack. However, it would have mitigated some of the risks the attack posed to the affected data subjects especially given the sensitive nature of the data.

Action Points 

Ransomware is on the rise. Organisations need to strengthen their defences and have plans in place; not just to prevent a cyber-attack but what to do when it does takes place:

  1. Conduct a cyber security risk assessment and consider an external accreditation through Cyber Essentials. The ICO noted that in October 2019, Tuckers was assessed against the Cyber Essentials criteria and found to have failed to meet crucial aspects. The fact that some 10 months later it had still not resolved this issue was, in the Commissioner’s view, sufficient to constitute a negligent approach to data security obligations.
  2. Making sure everyone in your organisation knows the risks of malware/ransomware and follows good security practice. Our GDPR Essentials e learning solution contains a module on keeping data safe.
  3. Have plans in place for a cyber security breach. See our Managing Personal Data Breaches workshop

More useful advice in the ICO’s guidance note on ransomeware and DP compliance.

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in April.

advanced_cert

First ICO GDPR Fine Reduced on Appeal

photo-1580971266928-ff5d40c194a7

The first GDPR fine issued by the Information Commissioner’s Office (ICO) has been reduced by two thirds on appeal.

In December 2019, Doorstep Dispensaree Ltd, a company which supplies medicines to customers and care homes, was the subject of a Monetary Penalty Notice of £275,000 for failing to ensure the security of Special Category Data. Following an investigation, the ICO ruled that the company had left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The ICO launched its investigation after it was alerted by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the company.

The unsecured documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.
The ICO held that this gave rise to infringements of GDPR’s security and data retention obligations. It also issued an Enforcement Notice after finding, amongst other things, that the company’s privacy notices and internal policies were not up to scratch.

On appeal, the First Tier Tribunal (Information Rights) ruled that the original fine of £275,000 should be reduced to £92,000. It concluded that 73,719 documents had been seized by the MHRA, and not approximately 500,000 as the ICO had estimated. She also held that 12,491 of those documents contained personal data and 53,871 contained Special Category Data.

A key learning point from this appeal is that data controllers cannot be absolved of responsibility for personal data simply because data processors breach contractual terms around security. The company argued that, by virtue of Article 28(1) of GDPR, its data destruction company (JPL) had become the data controller of the offending data because it was processing the data otherwise than in accordance with their instructions. In support of this argument it relied on its contractual arrangement with JPL, under which JPL was only authorised to destroy personal data in relation to DDL- sourced excess medication and equipment and must do so securely and in good time. 

The judge said:

“The issue of whether a processor arrogated the role of controller in this context must be considered by reference to the Article 5(2) accountability principle. This provides the controller with retained responsibility for ensuring compliance with the Article 5(1) data processing principles, including through the provision of comprehensive data processing policies. Although it is possible that a tipping point may be reached whereby the processor’s departure from the agreed policies becomes an arrogation of the controller’s role, I am satisfied that this does not apply to the facts of this case.” 

This case shows the importance of data controllers keeping a close eye on data processors especially where they have access to or are required to destroy or store sensitive data. Merely relying on the data processor contract is not enough to avoid ICO enforcement. 

Our  GDPR Practitioner Certificate is our most popular certificate course available both online and classroom. We have added more dates.

First GDPR Fine Issued to a Charity

christopher-bill-rrTRZdCu7No-unsplash

On 8th July 2021, the Information Commissioner’s Office (ICO) fined the transgender charity Mermaids £25,000 for failing to keep the personal data of its users secure.
In particular this led to a breach of the Articles 5(l)(f) and 32(1) and (2) of the GDPR. 

The ICO found that Mermaids failed to implement an appropriate level of organisational and technical security to its internal email systems, which resulted in documents or emails containing personal data, including in some cases relating to children and/or including in some cases special category data, being searchable and viewable online by third parties through internet search engine results.  

The ICO’s investigation began after it received a data breach report from the charity in relation to an internal email group it set up and used from August 2016 until July 2017 when it was decommissioned. The charity only became aware of the breach in June 2019. 

The ICO found that the group was created with insufficiently secure settings, leading to approximately 780 pages of confidential emails to be viewable online for nearly three years. This led to personal data, such as names and email addresses, of 550 people being searchable online. The personal data of 24 of those people was sensitive as it revealed how the person was coping and feeling, with a further 15 classified as Special Category Data as mental and physical health and sexual orientation were exposed. 

The ICO’s investigation found Mermaids should have applied restricted access to its email group and could have considered pseudonymisation or encryption to add an extra layer of protection to the personal data it held.  

During the investigation the ICO discovered Mermaids had a negligent approach towards data protection with inadequate policies and a lack of training for staff. Given the implementation of the UK GDPR as well as the wider discussion around gender identity, the charity should have revisited its policies and procedures to ensure appropriate measures were in place to protect people’s privacy rights. 

Steve Eckersley, Director of Investigations said: 

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse. 

“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.” 

Up to April 2021, European Data Protection regulators had issued approximately €292 million worth of fines under GDPR. The greatest number of fines have been issued by Spain (212), Italy (67) and Romania (52) (source).  

Up to last week, the ICO had only issued four GDPR fines. Whilst fines are not the only GDPR enforcement tool, the ICO has faced criticism for lack of GDPR enforcement compared to PECR

The first ICO GDPR fine was issued back in December 2019 to a London-based pharmacy. Doorstep Dispensaree Ltd, was issued with a Monetary Penalty Notice of £275,000 for failing to ensure the security of Special Category Data. In November 2020, Ticketmaster had to pay a fine of £1.25m following a cyber-attack on its website which compromised millions of customers’ personal information. Others ICO fines include British Airways and Marriott which concerned cyber security breaches.  

It remains to be seen if the Mermaids fine is the start of more robust GDPR enforcement action by the ICO. It will certainly be a warning to all Data Controllers, particularly charities, to ensure that they have up to data protection data policies and procedures.  

Act Now Training’s GDPR Essentials e learning course is ideal for frontline staff who need to learn about data protection in a quick and cost-effective way. You can watch the trailer here. 

We only have two places left on our Advanced Certificate in GDPR Practice course starting in September.  

The Marriott Data Breach Fine

Niagara Falls, Ontario, Canada - September 3, 2019: Sign of Marriott on the building in Niagara Falls, Ontario, Canada. Marriott International is an American hospitality company.

The Information Commissioner’s Office (ICO) has issued a fine to Marriott International Inc for a cyber security breach which saw the personal details of millions of hotel guests being accessed by hackers. The fine does not come as a surprise as it follows a Notice of Intent, issued in July 2018. The amount of £18.4 million though is much lower than the £99 million set out in the notice.  

The Data 

Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.  

The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number. The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK. 

The Cyber Attack 

In 2014, an unknown attacker installed a piece of code known as a ‘web shell’ onto a device in the Starwood system giving them the ability to access and edit the contents of this device remotely. This access was exploited in order to install malware, enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, and other devices on the network to which that account would have had access. Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network.
With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker. 

The ICO acknowledged that Marriott acted promptly to contact customers and the ICO.
It also acted quickly to mitigate the risk of damage suffered by customers. However it was found to have breached the Security Principle (Article 5(1)(f)) and Article 32 (Security of personal data). The fine only relates to the breaches from 25 May 2018, when GDPR came into effect, although the ICO’s investigation traced the cyber-attack back to 2014. 

Data Protection Officers are encouraged to read the Monetary Penalty Notice as it not only sets out the reasons for the ICO’s conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount.  

It is also essential that DPOs have a good understanding of cyber security. We have some places available on our Cyber Security for DPOs workshop in November. 

The Information Commissioner, Elizabeth Denham, said: 

“Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.”

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.” 

Marriott said in statement:  

“Marriott deeply regrets the incident. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems. The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”

Marriott has also said that it does not intend to appeal the fine, but this is not the end of the matter. It is still facing a civil class action in the High Court for compensation on behalf of all those affected by the data breach.  

This is the second highest GDPR fine issued by the ICO. On 16th October British Airways was fined £20 million also for a cyber security breach. (You can read more about the causes of cyber security breaches in our recent blog post.) The first fine was issued in December 2019 to Doorstep Dispensaree Ltd for a for a comparatively small amount of £275,000. 

This and other GDPR developments will be covered in our new online GDPR update workshop. Our next online GDPR Practitioner Certificate is fully booked.We have added more courses. 

The EasyJet Data Breach: GDPR Fine Arriving?

robert-hrovat-3hTBB-ISAJg-unsplash

On 19th May 2020 it was reported that in January 2020 EasyJet was subject to what they describe as a “highly sophisticated” cyber-attack, resulting in the personal data of over 9 million customers being “hacked”. Detailed information about the attack is sparse, with most media sources repeating the same bare facts. Some of the information below is based on the media reports and emails sent to EasyJet customers. At the time of writing there was no information about this on the Information Commissioner’s Office web site.
What little information is available points to a number of breaches of the General Data Protection Regulation (GDPR) which could result in the Information Commissioners Office (ICO) imposing a monetary penalty.

However, in view of the ICO’s reassessment of its regulatory approach during the current Coronavirus pandemic and reports that it has further delayed the imposition of its £183 million fine against British Airways, readers may be forgiven for thinking that EasyJet will not be on the receiving end of a fine any time soon. In any event, it seems likely that the ICO will be forced to consider the fact that EasyJet, along with the whole airline industry has been very severely affected by the Coronavirus and faces huge financial pressures.
The consequences for EasyJet in respect of this breach will remain unclear for many months and may disappoint customers whose personal information has been stolen.

Breach of Security

All Data Controllers must comply with the data protection principles set out in Article 5 of GDPR. In particular, Article 5 (1) (f) (the security principle) requires Data Controllers to process personal data in a manner that “ensures appropriate security” of the personal data that they process. That  includes protecting against “unauthorised or unlawful processing and against accidental loss, destruction or damage.” This obligation to process personal data securely is further developed in GDPR Article 32 which requires Data Controllers to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. The steps that a Data Controller has to take will vary, based upon “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”. In other words, Data Controllers must implement security measures that are “appropriate to the risks” presented by their processing, which reflects the GDPR’s risk-based approach. So, for example, a village hairdresser will not be expected to take the same amount of security precautions as an international airline handling personal data (and often Special Category Data) about millions of people. We do not know what cyber-security precautions EasyJet had in place to prevent this-attack, however it is arguable that it should have reviewed its security arrangements (which it may well have done) in the wake of the British Airways attack that was widely reported in September 2018.

There is no doubt that the incident amounts to a “personal data breach” under GDPR Article 4 (12) since it involves a breach of security leading to the unauthorised access of the personal data of about 9 million people. Of the 9 million people affected, 2,208 had their credit card details stolen.

Breach Notification

When a Data Controller becomes aware of a “personal data breach” it must notify the ICO “without undue delay, and where feasible not later than 72 hours after becoming aware of it” (GDPR Article 33). The controller is relieved from this duty where the breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. That does not appear to be the case here given both the scale of the attack and the fact that the hackers gained access to customers’ credit card details and travel plans. The media reports indicate that the ICO was informed about the attacks that took place in January 2020, but there is no indication exactly when it was informed. If EasyJet did not notify the ICO within the time frames of Article 33, then this constitutes a further breach of the GDPR.
Phased notification is allowed though when a Data Controller does not have all the full details of the data breach within the 72 hours. This is likely to be the case in the EasyJet case where they instructed an immediate forensic investigation to establish the nature and extent of the breach, but the initial notification should have been within the 72 hour period as per Article 33.

Notifying Easy Jet Customers

GDPR Article 34 requires a Data Controller to notify any Data Subjects when the personal data breach is “likely to result in a high risk to the[ir] rights and freedoms”. The threshold for communicating a data breach to Data Subjects is higher than for notifying  the ICO and therefore it will not always be necessary to communicate with affected Data Subjects.
Data Controllers must assess the risk on a case by case basis. However, the Article 29 Working Party Guidelines on Breach Notification suggests that a high risk exists when the breach may lead to identity theft, fraud or financial loss. This would appear to be the case in the EasyJet breach. The GDPR does not state any specific deadline for notification but it does say that it should be “without undue delay”.

Media reports suggest that EasyJet customers were notified in two separate tranches.
The first notification to customers, whose credit details were stolen, was sent by email in early April. The second tranche, to all other customers, was sent by 26th May.
Customers who received emails at the end of May were advised that their name, email address and travel details were accessed (but not their credit card or passport details).
The purpose of notifying customers is to enable them to take steps to protect themselves against any negative consequences of the breach. The email suggested that customers take extra care to avoid falling victim to phishing attacks.

It remains to be seen whether EasyJet customers were notified “without undue delay” given that the airline became aware of the breach in January but the first notification to customers whose credit card details were stolen was not until end of April. It is plausible that this may have been too late for some customers. If this is the case then not only would this result in a  further breach of the GDPR, but could expose EasyJet to claims for compensation under GDPR Article 82. Indeed, according to SC Magazine, a law firm has already issued a class action claim in the High Court. Note that according to Google v Lloyd (and now under GDPR) claimants not do now have to show direct material damage to claim compensation.

Will Easy Jet Be Fined?

The details available to date certainly suggest a breach of Article 5 (1) (f) and possibly Article 32. In addition, it may be the case that EasyJet failed to notify their customers without undue delay and have breached Article 34. Breaches of these provisions could theoretically result in the ICO imposing a monetary penalty of up to 4% of EasyJet’s total worldwide annual turnover in respect of a breach of Article 5 and up to 2% of its total worldwide annual turnover for breaches of Articles 32 and 34.

It is too early to compare the circumstances of the EasyJet breach with the British Airways breach. The numbers of Data Subjects whose credit card details were involved in the BA attack was reported to be half a million (compared to 9 million with the EasyJet attack). However the number of people whose credit card details were stolen in the BA attack was much greater (about 380,000 booking transactions), although British Airways notified its customers immediately. Therefore the scale and gravity of the two breaches are not identical. The ICO will need to take these factors into account in deciding on the level of any fine. The maximum that she could fine is (as stated above) up to 4% of EasyJet’s annual turnover. It is not clear what this figure is but the EasyJet Annual Report for 2019 states that the company’s total revenue in 2019 was £6,385 million. In contrast BA’s total revenue was £12.2 billion. The fine will almost certainly be smaller than that imposed on British Airways, but it really remains to be seen how the ICO will react to the financial pressure that EasyJet are clearly under as a result of the Coronavirus pandemic. All we can do is watch this space.

This and other GDPR developments will be covered in our new online GDPR update workshop. Our next online  GDPR Practitioner Certificate course is  fully booked. A few places left  on the course starting on 2nd July.

online-gdpr-banner

 

PrivSec London Conference: Act Now Announces Winners of Free Tickets

DPWF Draw image

Act Now is pleased to announce the winners of the 7 free delegate tickets for the  PrivSec London Conference taking place on 4th and 5th February 2020. We are exhibiting at this two day event which will deliver  top-level strategic content, insights, networking, and discussion around data protection, privacy and security. In addition to leading content, tickets will include refreshments, lunch and access to exclusive post-event content.

And the winners are…

1.    Alison Hope of Greenwood Academies Trust
2.    Tony Sheppard of GDPR In Schools
3.    Rhiannon Platt of Royal Devon & Exeter NHS Foundation Trust
4.    Jamie Pickering of The Valuation Office
5.    Claire Owen of Cumbria County Council
6.    Amanda Godridge of Hampshire County Council
7.    Sam Smith of Herefordshire Council

Congratulations to all the winners who will receive an email informing them of how to claim their free ticket. Thank you to all of those who expressed an interest.

Act Now is in full conference mode now. Like last year, we hope to be exhibiting at the ICO Data Protection Practitioner’s Conference in Manchester.

In April, Ibrahim Hasan will travel to Las Vegas to address the 21st Annual NAPCP Commercial Card and Payment Conference. Ibrahim will be talking about the California Consumer Privacy Act (CCPA) which comes into force on 1st January 2020. It is sometimes known as the US equivalent of GDPR and provides broader rights to consumers and stricter compliance requirements for businesses than any other state or federal privacy law.

In May we will be exhibiting at the IRMS Conference in Birmingham. If you are attending any of these conferences, come and say hello on our stand and talk to us about our range of  GDPR Update Workshops,  E learning and Certificate Courses (Oh and collect some freebies!)

Act Now launches GDPR Policy Pack

ACT NOW NEWS

The first fine was issued recently under the General Data Protection Regulation (GDPR) by the Austrian data protection regulator. Whilst relatively modest at 4,800 Euros, it shows that regulators are ready and willing to exercise their GDPR enforcement powers.

Article 24 of GDPR emphasises the need for Data Controllers to demonstrate compliance through measures to “be reviewed and updated where necessary”. This includes the implementation of “appropriate data protection policies by the controller.” This can be daunting especially for those beginning their GDPR compliance journey.

Act Now has applied its information governance knowledge and experience to create a GDPR policy pack containing essential documentation templates to help you meet the requirements of GDPR as well as the Data Protection Act 2018. The pack includes, amongst other things, template privacy notices as well as procedures for data security and data breach reporting. Security is a very hot topic after the recent £500,000 fine levied on Equifax by the Information Commissioner under the Data Protection Act 1998.

We have also included template letters to deal with Data Subjects’ rights requests, including subject access. The detailed contents are set out below:

  • User guide
  • Policies
    • Data Protection Policy
    • Special Category Data Processing (DPA 2018)
    • CCTV
    • Information Security
  • Procedures
    • Data breach reporting
    • Data Protection Impact Assessment template
    • Data Subject rights request templates
  • Privacy Notices
    • Business clients and contacts
    • Customers
    • Employees and volunteers
    • Public authority services users
    • Website users
    • Members
  • Records and Tracking logs
    • Information Asset Register
    • Record of Processing Activity (Article 30)
    • Record of Special Category Data processing
    • Data Subject Rights request tracker
    • Information security incident log
    • Personal data breach log
    • Data protection advice log

The documents are designed to be as simple as possible while meeting the statutory requirements placed on Data Controllers. They are available as an instant download (in Word Format). Sequential files and names make locating each document very easy.

Click here to read sample documents.

The policy pack gives a useful starting point for organisations of all sizes both in the public and private sector. For only £149 plus VAT (special introductory price) it will save you hours of drafting time. Click here to buy now or visit or our website to find out more.

Act Now provides a full GDPR Course programme including one day workshops, e learning, healthchecks and our GDPR Practitioner Certificate. 

Data Breach Notification and the New EU Data Protection Regulation

 

DPA20The new EU General Data Protection Regulation contains an obligation on Data Controllers to notify supervisory authorities of personal data breaches. In some cases this extends to the Data Subjects as well.

Article 4 of the Regulation defines a personal data breach:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

Under the Data Protection Act 1998 (DPA) there is currently no legal obligation to report such breaches to anyone. However the Information Commissioner’s Office (ICO) guidance recommends that serious breaches should be brought to its attention. Last year telecoms company Talk Talk was the subject of a cyber attack in which almost 157,000 customers’ personal details were hacked. The company was criticised for its slow response especially the time it took to inform the ICO and customers.

Article 31 of the Regulation states that as the Data Controller becomes aware that a personal data breach has occurred it should without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority (in the UK the ICO). There is no need to do this where the controller is able to demonstrate that the breach is unlikely to result in a risk for the rights and freedoms of individuals. For example a very minor data breach involving innocuous information about a few individuals. Where the 72 hour deadline cannot be achieved, an explanation of the reasons for the delay should accompany the notification.

Notification Contents

The notification must contain the following minimum information:

  • a description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects data records concerned;
  • the name and contact details of the Data Controller’s Data Protection Officer (now a statutory position) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach;
  • a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, to mitigate its possible adverse effects.

Where it is not possible to provide the above information at the same time, the information may be provided in phases without undue further delay.

The new Regulation will require all personal data breaches, no matter how insignificant, to be documented by Data Controllers. This should include the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with Article 31. Some, if not all of it, will also be accessible via Freedom of Information requests, as many local authorities have already found.

Individuals’ Rights

Article 32 of the new Regulation states that Data Subjects should be notified without undue delay if the personal data breach is likely to result in a high risk to their rights and freedoms (e.g. fraud or identity theft), in order to allow them to take the necessary precautions. The notification will be similar to the one to the supervisory authority (discussed above) and should describe, in clear and plain language, the nature of the personal data breach as well as recommendations for the individuals concerned to mitigate potential adverse effects.

Notifications to individuals should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the need to mitigate an immediate risk of damage would call for a prompt notification whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.

There is no need to communicate a personal data breach to individuals if:

(a) the Data Controller has implemented appropriate technical and organisational protection 
measures, and that those measures were applied to the data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption; or

(b) the controller has taken subsequent measures which ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialise; or

(c) it would involve disproportionate effort. In such case, there will instead have to be a public communication (e.g. press release) or similar measure whereby the Data Subjects are informed in an equally effective manner.

Even where a Data Controller has chosen not to information Data Subjects, the supervisory authority can instruct it to do so. No doubt there will be more detailed rules setting out what kinds of breaches require notification and to whom.

Compensation

Article 77 states that:

“Any person who has suffered material or immaterial damage as a result of an infringement of the Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

This together with the new breach notification provisions (discussed above) will no doubt see an increase in Data Subjects taking legal action against Data Controllers as a result of data breaches. There may even be more class actions like the one against the London Borough of Islington in 2013 when 14 individuals settled for £43,000 in compensation after their personal data was disclosed without their authority. This action followed an ICO investigation which resulted in the council being fined £70,000.

Currently the ICO can issue fines (Monetary Penalty Notice’s) of up to £500,000 for serious breaches of the DPA. When the Regulation comes into force, this will be increased to 4% of global annual turnover for the preceding year (for businesses) or 20 million Euros.

The Regulation will have a big impact on all sectors. Whilst it is unlikely to come into force until the middle of 2018, all Data Controllers should be examining their approach to data breaches now and be putting into place processes to comply with the new rules.

Act Now Training can help. Please see our one-day EU DP Regulation workshops and our 1 hour webinars. We can also conduct DP audits and assessments.

Act Now Book Draw – Week 8

The winner of last week’s Act Now Book Draw was Amy Ford from NHS Southampton City.

Next week’s book is Covert Investigation by Clive Harfield and Karen Harfield.

The next draw will take place on Wednesday 25th April at 9am. Click here to enter the draw.

If you enter the draw and win, you give us permission to let others know that you have won (by e mail, on our website and by Twitter). If you do not want us to do this, please do not enter the draw. Any information we receive through this free draw will not be used for any other purpose.

%d bloggers like this: