Following the introduction of GDPR on the 15th May 2018, there is an ever-increasing focus on data protection breaches.
GDPR puts a requirement on businesses to report all personal data breaches. Data breaches must be reported within 72 hours of the business becoming aware of it. And the stakes have been raised – potential fines to businesses who break the GDPR are significantly higher than those previously applied under the previous Data Protection Act 1998.
What types of data protection breach are there?
The Information Commissioner’s Office, (ICO) define a personal data breach as ‘a security incident that has affected the confidentiality, integrity or availability of personal data’
There are many ways in which a breach can occur. Examples of personal data breach include:
• Sending personal data to an incorrect recipient – for example, an email which contains personal data (name, address, DOB) is sent to the wrong email address.
• Unauthorised access to data – this could include an employee who doesn’t have the right to access the data, or a third party who gains access to your data without permission.
• Personal data being made unavailable, whether accidentally lost or destroyed – for example a power failure or cyber-attack may mean your systems or servers go down and you are not able to access data. Or you lose the decryption key required to access encrypted data.
• Devices containing personal data being lost or stolen – for example, an employee may leave their laptop on a train. If the device contained personal data this would be considered a breach.
What is the maximum data protection breach fine?
GDPR sets out two levels of fines for those who break the new data protection rules:
1. Higher tier fines – a maximum fine of 20 million Euros, or 4% of global turnover. Whichever is higher.
2. Lower tier fines – a maximum fine of 10 million Euros or 2% of global turnover. Whichever is higher.
The regulation states that fines issued will be “effective, proportionate and dissuasive”.
Under the Data Protection Act 1998, the maximum fine that could be issued was £500,000.
The timing of the offence being prosecuted will determine the potential fine that can be handed out. For offences committed prior to GDPR coming into force, fines will be issued according to the previous legislation.
Failing to notify the GDPR of a breach within the specified timeframes can be penalised by a fine of up to 10 million euros or 2% of a business global turnover.
How can your business avoid data protection breach fines?
Data protection is an ever-evolving area which you need to take control of to avoid a data breach and therefore the likelihood of a fine.
Some areas you could look to consider include:
- Have someone (or a team of people) responsible for data protection and GDPR – The GDPR regulation is complex, made up of 99 articles. To get a real handle on the regulations you must comply with and embed compliance into your business, it will likely be beneficial to have someone who takes responsibility for understanding the regulation.
- Understand what data you hold – In order to protect your data and avoid a data breach, you need to understand what data you hold and where it is stored. You will then be in a better position to both prevent a breach and quickly become aware of any breaches which do occur.
- Put data protection and privacy at the heart of your business – Keep your security systems updated to reduce the risk of being hacked. It’s also a good idea to run regular risk reviews to identify any areas which may have changed and made you vulnerable.
- Invest in staff training – Make sure your staff are all well trained on your data protection procedures and how to avoid a data breach. They also need to understand why data protection and security is so important.
It’s important that small businesses maintain focus on ensuring compliance with GDPR and minimise the likelihood of a data protect breach fine. It may also be beneficial to review your small business insurance to ensure you are covered for all eventualities. If you have any question you can talk to us at Anthony Jones – we can provide support both in terms of your insurance requirement and risk management.