The recent personal data breach in the cabinet office highlights the importance of managing and processing personal data.
The personal data breach by the Cabinet Office in respect of those named in the 2019 New Year’s Honours List, which saw the addresses of virtually all those recognised with an honour published on the official government website, has once again shone the spotlight on the importance of managing the process of protecting personal data, ensuring that steps are taken in a prompt and efficient manner if a data breach takes place.
On 27th December 2019, a file containing the full list of recipients of a New Year’s honour was uploaded to the Government’s website. The file is alleged to have contained the details of virtually all recipients’ addresses, including those of celebrities such as the singer Elton John, cricketer Ben Stokes, presenter Gabby Logan and chef Ainsley Harriott. The details could be viewed by the general public for a number of hours before the file was eventually removed from the website the following day, by which time the error had hit the front pages of the national newspapers, calls for a public inquiry had begun and the breach had been labelled as a ‘complete disaster’ by a former Cabinet minister.
What must my business do in the event of a data breach?
Chiefly, under the new data protection laws, it is vital than upon discovering any personal data breach which could risk an individual’s rights and freedoms, you must notify the Information Commissioner’s Office (‘ICO’) within 72 hours of you becoming aware of it.
When notifying the ICO, you must, insofar as possible, give details of the nature of the data breach including the categories and number of individuals and data records concerns, details of your business’ Data Protection Officer (if any), your understanding of the potential consequences of the breach and a description of the measures taken – or proposed to be taken – by the business in order to mitigate the breach.
If there has been a breach which is likely to result in a particularly high risk to the rights and freedoms of individuals, the legislation states that you must inform those concerned as soon as possible. The rationale for this is so that the individuals can then also take steps to protect themselves from the fallout from the data breach. The individuals concerns should be provided with a point of contact at the business (most likely the business’ Data Protection Officer), a description of the likely consequences of the data breach and a description of the measures taken – or proposed to be taken – by the business in order to mitigate the breach.
Data breach penalties
Reporting a notifiable data breach to the ICO is of vital importance. Failure to do so can result in a significant penalty to the business, namely a fine of up to 10m Euros or 2% of the business’ global turnover.
What steps can be taken to prevent this occurring again?
The business should undertake a root-and-branch review of its processes and procedures to locate the cause and reasons behind why the data breach occurred and how it came to happen. The business will need to be able to locate this point of weakness and then it can work to strengthen its existing procedures or indeed implement need processes in order to enhance its protection and safekeeping of the personal data that it processes.
Typical practical steps that can be taken to prevent a recurrence of a personal data breach include:
- providing training and regular updates to staff;
- undertaking a thorough security and data protection audit;
- implementing or updating internal and external data protection policies and data processing agreements;
- implementing or updating disaster recovery and data breach plans;
- ensuring practical measures are adhered to, including encrypting devices and data, maintaining strong passwords, locking computers when they are left unattended, keeping confidential information in locked drawers etc.
How Can Verisona Law Help Me and My Business?
At Verisona Law, we can assist you and your business in preparing for the GDPR and ensuring your business is compliant by:
- reviewing your business’s data protection and privacy policies;
- reviewing your business’s data processing agreements;
- carrying out a data audit of your business;
- providing training to your business’s staff and board members; and
- assisting your business in the event of it suffering a personal data breach.
If you would like further information, please contact Grant Usher (Associate) at firstname.lastname@example.org or via telephone on 023 9231 2058.
- Sale and purchase of business, asset and shares
- Business start-ups and SME’s
- Management Buy-Outs (MBO’s) and Buy-Ins (MBI)
- Share buy backs
- Due diligence
- Company re-organisation and re-structuring advice
- Shareholders’ and partnership agreements
- LLP and Partnership advice
- Shareholder disputes
- Drafting inter-creditor, facility, guarantee and other security agreements
- Subordination and priority arrangements
- Advice on personal and corporate guarantees
- Joint ventures and collaboration agreements
- Terms and conditions of sale or purchase for goods/services
- Agency and distribution agreements
- Non-disclosure agreements (NDA)
- Bespoke trading agreements
- Intellectual property protection
- Incorporation of limited liability partnerships and companies
- Creating and/or maintaining statutory registers, minute books and share certificates
- Preparing board minutes, resolutions and notices
- Assisting with your confirmation statement
- Drafting or amending Articles of Association
- Dissolving or striking companies off the register
- Implementing changes to your share capital
- Drafting and filing of Companies House forms.
“The (Corporate and Commercial) team did Verisona Law proud. I really appreciate all your assistance throughout the transaction.”
Director of a Groundworks and civil engineering business, June 2018
“I would just like to say a very big thank you to you for all of your amazing hard work and patience during the course of the sale. Myself and the family very much appreciate it.”
Exiting shareholder of an IT company, July 2018
“Thank you for all your work in dealing with the acquisition, your advice has been really helpful.”
Seller of a healthcare business, January 2019