Breach response under the GDPR

As readers of this newsletter will probably be aware, the much discussed General Data Protection Regulation (GDPR) came into effect on 25 May 2018. In our last Solicitors' Risks in Brief we turned the spotlight on the brewing storm of compensation claims under the GDPR, and warned that solicitors may find themselves in the firing line as such claims become more common. In this issue we wanted to include a brief note on a related area which is keeping the data and cyber risk specialists at DAC Beachcroft increasingly busy – data breach response.

Under the Data Protection Act 1998 there is no general obligation that would require solicitors notify data breaches. This will change under the GDPR, which imposes a general obligation to self-report data breaches to the ICO within 72 hours, and to affected data subjects "without undue delay". The Article 29 Working Party has recently updated its guidance on data breach notification here, and the ICO has provided further information on what it expects to see here. The data and cyber risks team at DAC Beachcroft have extensive experience in dealing with data breach scenarios, both large and small, and can assist in marshalling a response that will restrict resulting exposures, whether that be to third party compensation claims, regulatory fines, or other associated losses and exposures.

However, given the incredibly restrictive 72 hour timeframe imposed under the GDPR, there is no substitute for solicitors adopting and maintaining their own internal breach response plan. It is important that such plans are living documents that are understood by staff. All staff should be able to identify a data breach, and those with key roles in the plan should understand their responsibilities. Ideally, this will involve walking through the plan on a sufficiently regular basis, and considering how it will respond to various breach scenarios.