1. Minor breach reporting
5 months on and self-reported data breaches are already over 30% more (for the first half of 2018) than the whole of 2017. The ICO’s latest annual report (available here) revealed that in June, the ICO received over 3 times as many notifications as it normally receives. As such, the ICO have issued an update to remind organisations that a “de minimis” threshold will apply to reports that have to be made, and only those which are likely to threaten an individual’s security (as determined by the data controller/processor) must be reported.
Data controllers and processors are right to think that, under the GDPR, all data breaches (however minor) must be reported to the ICO (the UK regulator) within 72 hours (not working hours) of discovery. For clarity, a data breach is not just about losing personal data; it includes any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data (whether or not deliberate).
The ICO is yet to quantify this threshold in precise terms. In the meantime, all organisations are encouraged to call the ICO’s helpline (details below) for guidance, before making a formal report online.
Note that this will not apply to any organisation processing data additionally subject to the Network and Information Systems Regulations 2018 (NIS) which has a separate threshold already imposed. The NIS Regulations apply to any organisation with more than 50 staff and annual turnover of more than €10m that processes personal data in water, transport, energy, healthcare and digital infrastructure sectors including online search engines, marketplaces and Cloud computing services.
Breach reports to the ICO can be made directly using their telephone line (0303 123 1113) or online form (available here). Alternatively, seek legal advice if you have suffered a data breach and are not sure whether to make a formal report.
2. When you can rely on an exemption
Whilst it may seem that the GDPR, UK Data Protection Act 2018 (DPA) and NIS Regulations collectively apply to any personal data belonging to any living individual that is processed at any time, by any organisation, for any purpose, the reality is not quite as comprehensive. A number of exemptions do exist and can be used on a case-by-case basis (provided that all reliance is justified and documented) and these have been recently updated on the ICO’s website (available here). Where an exemption validly applies, a data processor/controller will be relieved of duties to report breaches, comply with the principles and responding to individuals wishing to exercise their rights.
As the ICO’s website shows, many specific exemptions exist (too many to list here). By way of example, these can apply to journalists, examiners, researchers and statisticians (among others). Detailed information is readily available, and all organisations are encouraged to consider this when attempting to rely on an exemption. They would also be worth considering before time, effort and cost is spent (and possibly wasted) implementing various policies and procedures to protect personal data, where it may not actually be necessary.
Organisations are reminded that the GDPR, DPA and NIS Regulations do not apply to data processed by sender and recipient who are operating solely for household/domestic purposes (i.e. personal telephone correspondence, WhatsApp messages etc), or any processed for law enforcement or national security reasons.
3. Enforcement action taken
It has been a busy period for the UK’s data protection regulator (illustrated in the article above). Whilst only the most substantial financial penalties, or highest profile data breaches, will make BBC news, it would be foolish to think that these are the only organisations to have failed to comply with the GDPR to date. A number of recent, significant sanctions are illustrated below, which organisations should take note of.
Ø Heathrow Airport Limited – £120,000 – failure to implement appropriate measures to ensure portable devices were appropriately secure. An individual found a USB memory stick. This was plugged into a computer and over 1,000 files (1% of which contained names, dates of birth, vehicle registrations, passport details and mobile numbers for guests and security personnel) which were neither encrypted or password protected. It is critical to note that despite HAL’s defence that the personal data was not readily searchable (it was visible for only 3 seconds in a video that incidentally showed open pages of a folder), a motivated individual could locate and extract the data in a permanent form. The USB stick was then handed to a national newspaper (which returned it to HAL, after retaining a copy of the files, which it refused to destroy or return). Whilst this is a one-off incident (the loss or misplacement of the USB stick), and the personal data contained within it was minimal and only accessible to a motivated individual, the ICO’s primary concern was related to the failure to encrypt or password protect the relevant device, which was indicative of a wider failure by HAL to implement appropriate technical security measures to ensure all devices were encrypted.
Ø Oaklands Assist (UK) Limited – £150,000 – for making over 60,000 unsolicited marketing calls. This was flagged to the ICO in June 2017 when Oaklands was identified as a top 50 organisation responsible for generating complaints via the ICO’s online reporting tool. Naturally, this was investigated and the nature of specific complaints were of aggressive, rude and repetitive sales tactics.
Ø Bupa Insurance Services Limited – £175,000 – personal data from BUPA’s global CRM system was discovered for sale on the dark web as a result of a deliberate leak by a rogue employee. The ICO found that the method of extraction by a rogue employee (generating bulk data reports and attaching them as .zip files to an email sent to a personal account) could have been prevented with appropriate measures.
Ø Boost Finance Limited – £90,000 – for sending over 4m unsolicited marketing emails to individuals who had subscribed to websites operated by companies affiliated with BFL (despite the ICO receiving only 4 complaints). Whilst BFL claimed it had valid consent to send the emails, the privacy policies on their affiliated companies’ websites did not specifically name BFL (or any of its trading styles, such as findmeafuneralplan.com). It only listed “sponsors and selected marketing partners”. The emails also did not give recipients the opportunities to opt out at any time. The fine was issued as a result of “inadequate, generic, vague, misleading, tiered and incomplete” personal data collection methods and privacy statements to try to obtain consent to direct marketing emails.
Ø Equifax Limited – £500,000 – failure to adequately protect data (15m unique records) during a cyber attack in 2017. Names, telephone numbers, driving licence details, dates of birth, passwords and secret questions/answers of over 15.5m UK data subjects were compromised during the attack. The critical issue was that this attack exploited a critical vulnerability notified to Equifax by the US Dept. of Homeland Security earlier that year as requiring immediate attention. The relevant weakness was not patched up.
The ICO publicises all action it has taken on its website (available here). All funds received from ICO monetary penalty notices are returned to central Treasury and not retained by the ICO or its staff.
4. How safe will our data be following 29 March, 2019?
There has been significant publicity over precisely what the UK’s arrangement to leave the EU next year will look like (if any). This has, understandably, created considerable uncertainty for organisations across all aspects of their businesses, and the legal landscape within which that business will operate post-Brexit can be equally unclear. However, recent published government guidance has tried to bring some reassurance to what will happen to our personal data if the UK doesn’t secure a deal. Put simply, in the absence of any agreement, the UK Data Protection Act 2018 would remain in force, and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it, automatically (as it is now).
However, data transfers to non-EEA to countries that are not automatically deemed to have adequate protections in place must follow additional compliance hurdles to be valid. Failure to do so will breach the GDPR. Whilst the intention remains to continue to uphold the free flow of data between the EU and UK post-Brexit, organisations will need to start considering how their data is to be transferred securely, and what contractual protections might be needed (which may be to use the EU model data transfer clauses). Whilst it would be beneficial for the European Commission to make an adequacy decision regarding the UK at the point of exit, until that decision is made, organisations will need to start preparing on the basis that the UK will not be an adequate territory.