Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Data security and breach notification
Are there specific security obligations that must be complied with?
Yes. The Data Protection Act 2000 sets out technical and organisational measures that data controllers must undertake to secure personal data against:
- unauthorised access;
- accidental or unlawful destruction, manipulation, disclosure and transfer; and
- other unlawful processing.
Data controllers must also comply with data confidentiality rules and ensure that personnel who process personal data are bound by confidentiality obligations.
The Data Protection Act does not expressly stipulate which data security measures must be taken, but provides that any such measures should reflect the current state of technological capabilities and be economically tenable. Thus, good industry practices have become crucial in determining the necessary data security measures to take in the event of a breach of the act or internal control systems. Such practices are particularly relevant in the context of an internal control systems breach, where the courts will examine the potential liability of persons responsible for the breach (eg, managing directors). Liability for lack of sufficient data security seldom arises when good industry practices are followed.
Further, Art 32 of the EU General Data Protection Regulation also provides for general data security obligations. Appropriate technical and organisational measures that have to be implemented may include:
- pseudonymisation and encryption of personal data;
- ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Since the EU General Data Protection Regulation does not stipulate concrete security measures, best practices are still crucial in determining the necessary data security standard.
Are data owners/processors required to notify individuals in the event of a breach?
Yes. The data controller must inform the data subjects concerned in an appropriate manner as soon as it becomes aware that data under its control has been systematically and seriously misused and such misuse may cause the data subjects to suffer damages. The disclosure obligation does not apply if only minor damage is likely to occur and the costs of disclosure would require disproportionate effort.
This data breach notification duty will be significantly tightened on applicability of the EU General Data Protection Regulation. According to the new regime, any personal data breach has to be notified by the controller to the data protection authority within 72 hours, unless the breach is unlikely to result in a risk for the data subjects. The notification must include a detailed description of the data breach, as well as potential consequences and adapted counter-measures.
In case a high risk for data subjects applies, the controller shall also communicate the data breach to the data subjects concerned without undue delay.
Are data owners/processors required to notify the regulator in the event of a breach?
Not under the Data Protection Act 2000. The data controller must inform only the natural and legal persons whose data is affected by the breach; there is no general obligation to notify the Data Protection Authority. However, telecommunications operators are already obliged to directly inform the Data Protection Authority in such event.
However, the new EU General Data Protection Regulation will significantly change regulations and establish an obligation to report data breaches to the data protection authority.
Click here to view the full article.