Joe Torre, apprentice solicitor at Muckle LLP, has been working on GDPR with the firm's data protection lawyers and spotted something businesses might be missing.
Data breaches are rising by over 30% a quarter, according to trends seen by the Information Commissioners Office (ICO), and that’s not counting all the breaches that go unreported. News of breaches is becoming increasingly common. Just recently it emerged that Uber had paid off hackers who last year compromised the data of 57 million customers and employees worldwide.
After hiding the breach for over a year, the company finally released a statement admitting that ‘the names and driver’s license numbers of around 600,000 drivers in the United States’ had been compromised. It has also since transpired that 2.7 million UK users’ data has been hacked.
This example is exactly why the new General Data Protection Regulation (GDPR) has new requirements in place for reporting serious breaches.
Transparent businesses
Creating a culture of openness is more important than ever for businesses. Employees need to feel that it is better to tell someone about a suspected breach than to sit on it and do nothing.
Under the Data Protection Act 1998 it was considered ‘best practice’ to report incidents. Whereas the new regulations make it mandatory to disclose any cases of a personal data breach if they pose a likely risk to people’s rights and freedoms.
Businesses now have 72 hours to report certain breaches to the ICO. Failure to do so can, under the new guidelines, lead to a huge fine.
What businesses might have missed
Under the new rules organisations must have measures in place to prevent breaches, have a plan for when a breach occurs and make sure employees know what to do if it happens.
These new requirements have seemingly gone unnoticed, clouded by smoke created by scaremongering media and marketing communications, focussed on the new fines under the regulation. I’m sure you will all have read about the £20m fines for breaches of GDPR, a sum that is in a different league to the current maximum £500,000 that the ICO can impose currently. But let’s not obsess about that.
It’s not all doom and gloom. We shouldn’t panic. UK information commissioner Elizabeth Denham has reassured businesses, saying: “This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.”
While the ICO will enforce these new fines, the change in the law should be seen as an opportunity for businesses to ensure the way they hold data is more secure and efficient than ever, rather than worrying about the penalty for not doing so.
So New Year, new start for our data security systems. Now is the time to make sure they are in better shape than ever before, fit and ready for the new regulations in May.