The Information Commissioner’s office have now confirmed that the UK will have to enact the General Data Protection Regulation (GDPR) by May 2018 given this implementation date will occur before the expiry of the two year period from the giving of the UK’s Article 50 notice to leave the EU.
The introduction of the GDPR is the biggest overhaul of data protection legislation in 18 years, 18 years which have seen a major boom in data and advancements in technology which the previous legislation has failed to keep pace with. Furthermore, the introduction of the GDPR will impact, to some degree, every single business and organisation in the UK.
Under the current legislation only public bodies, via a voluntary arrangement, have a positive obligation to report data breaches to the Information Commissioner. As such when a data breach occurs many private sector organisations simply batten down the hatches and hope no-one traces a data breach back to them, and in most cases they will get away with this.
However, the GDPR introduces a new positive notification requirement where certain types of breaches (i.e. those likely to result in a risk to the rights and freedoms of individuals) have to be reported to the Information Commissioner within 72 hours of becoming aware of the breach and, if the breach is likely to result in a high risk to the rights and freedoms of individuals (e.g. the data lost could result in identity theft), then the individuals whose data has been breached, which could be customers or employees, without undue delay.
The thought of having to write, on a firm’s headed paper, to individuals telling them your firm has lost their data constitutes a significant reputational risk, especially in today’s era of social media where that letter could be photographed, published online and shared thousands of times. This, combined with the threat of fines for not reporting breaches of up to €10m or 2% of global turnover, should firmly put data protection compliance and the introduction of the GDPR on the boardroom agenda of every organisation in the UK.
Rather than waiting until May 2018 and then trying to get everyone in an organisation up-to-speed on the new legislation every business should be taking steps now so that when May 2018 arrives they are already up-to-speed with the new legislation which significantly reduces the risk of having to report data breaches to the Information Commissioner and possibly customers, employees and other third parties, from May 2018 onwards.
Whilst a lot of the press attention has been on high profile data breaches caused by hackers and cyber-attacks, the one area that often gets overlooked, and is traditionally the weakest link in any data protection system, is the human element.
The vast majority of data breaches occur due to human error. This is someone such as an employee or sub-contractor doing something they shouldn’t be doing or simply making a mistake such as the fax or e-mail to the wrong recipient, losing a memory stick or failing to encrypt data or destroy data properly.
Any business can have a superb written data protection policy, however that policy is not worth the paper it is written on unless employees are trained so they understand the reason there is a policy in the first place, the personal consequences on them from an employment/disciplinary perspective in not complying with that policy, the wider financial and reputational damage consequences to the organisation itself and how practically that policy impacts on them as they go about their day-to-day tasks.
Without the benefit of rolling out a comprehensive system of staff training (both initially and on an on-going basis) businesses will continue to put themselves at risk, both from a financial and reputational point of view, as employees go about their daily task oblivious to how their actions can have serious consequences down the line.