The number of organisations bracing themselves for legal battles over data breaches is increasing. In addition to the reputational damage and fines, companies like Equifax, Ticketmaster and British Airways (who suffered cyber-attacks that resulted in significant data loss) face the potential wrath of masses of affected data subjects coming together to take legal action based on the risk-free “no win, no fee” model.
GDPR requires organisations to:
In December 2017, the UK High Court found UK supermarket chain Morrisons, vicariously liable for a data breach which gave rise to a class action (known also as a ‘group action’ under the UK Data Protection Act 2018) from over 5,000 of the supermarket’s current and former employees. The case concerned a disgruntled former employee and the leaking of payroll data on c.100k employees. It demonstrated the extent of responsibility being placed on Data Controllers to safeguard personal data, and the importance of ingraining and evidencing data protection into all departments, functions and systems.
As a Data Controller, the problem isn’t necessarily what you do with personal data. It comes down to what you failed to do, or what can be deemed as having been neglected. Whilst it may be impossible to control the actions of others and completely prevent breaches from occurring, steps must be taken. You must be able to demonstrate diligence in the protection of personal data. It’s vitally important that all the data protection ‘principles’ within Article 5 of the GDPR are reflected and documented within your operations.
Data Controllers should implement technical and organisational measures that provide security which is appropriate to the level of risk posed by the processing of personal data. The security measures should be reflective of the nature, sensitivity and value of the data held, together with the likelihood and impact of it being compromised.
It is vitally important that Data Controllers have contracts (Data Processing Agreements) with 3rd party Data Processors that process their personal data. The Agreements must require Processors to implement equally appropriate, effective and proportionate measures to protect the data. This is because the Data Controller remains fully responsible for personal data processed on its behalf.
Once appropriate measures are introduced, it is advisable to create schedules to review and monitor the continued suitability of the measures. Penetration tests, reviews of access rights and activity logs are all examples of ways to ensure ongoing security.
Whilst meeting the data breach notification obligations is very important, the protection of personal data must be reflected in your daily business. If a breach does occur, especially one which could give rise to a class action, make sure you can demonstrate that:
Group actions caused by large scale personal data breaches are already a real consideration for many organisations. They can result in significant financial and legal cost, reputational damage and be heavily resource intensive if they occur.
Whilst a data breach may never be 100% avoided, a proactive approach to protecting personal data will reap long-term dividends and reduce the potential consequences should the worst occur.
Please contact us for further help and advice.