A data breach is the unauthorised loss, destruction, corruption or disclosure of personal data. Data breaches can occur as a result of accidental or deliberate actions, as in the high profile Morrisons case last year. These can also result from a cyber-attack, which Facebook and British Airways recently fell victim to. Such large scale data breaches were frequently in the news in 2018 and it's a trend which we can expect to continue into 2019.
Whilst businesses can minimise risk with the right technological and security measures, having appropriate policies, procedures and staff training in place is equally important to mitigate the impact of any breach.
Having an effective response plan ready to deploy is crucial for any business as reports to the Information Commissioner's Office (ICO) must be made within 72 hours of a breach. Where the breach is likely to result in detriment to affected individuals, they should also be informed without delay. It's worth remembering that all breaches should be documented, even those that don't require self-reporting to the ICO.
The type of data request most likely to be received by a business is a subject access request. Article 15 GDPR gives individuals the right to obtain a copy of their personal data as well as other supplementary information. In addition to the right to access, an individual may submit a right to erasure request (Article 17 GDPR). Otherwise known as the right to be forgotten, it enables individuals to request to have their personal data erased. This is not an absolute right, and as with the right to access, there are exemptions that may apply to the specific set of circumstances.
Businesses need to be aware of how to recognise such requests and how to handle these appropriately. Again, procedures and policies need to be in place to enable businesses to respond promptly once a request is received. It's best practice to have a policy for recording details of any requests, and any communication between the business and the individual in respect of the request.
An example of a step by step procedure for responding to data requests
For both disclosures and requests, an individual may lodge a complaint with the ICO or issue legal proceedings for a breach of data protection. Section 168 Data Protection Act 2018 states that the right to compensation for an individual that has suffered material or non-material damage as a result of a data protection breach includes distress. This means individuals can claim damages for distress alone without having to prove any financial loss.
The first group data breach claim in the UK was heard recently in the England and Wales Court of Appeal (Morrisons Supermarkets Plc v Various Claimants  EWCA Civ 2339). In this case 5,518 employees advanced a claim against the supermarket. Morrisons was found vicariously liable for a deliberate data breach carried out by one of its employees. This was despite the breach being the result of a malicious and criminal act committed outside working hours by a disgruntled employee. This is a concerning precedent for companies, as it means they may be held liable even if reasonable data security measures are in place. Morrisons has indicated their intention to appeal the decision to the Supreme Court, so watch this space.
The Morrisons case highlights the importance of having in place an effective and immediate response plan to any breach. No matter what protective or compliance mechanisms are in place, there will always remain a risk of disclosure. It also demonstrates the need for businesses to consider insuring against such scenarios going forward.
For all forms of data disputes, a quick, reasoned and effective response is crucial to mitigating any adverse effects. More often than not, it will be clear at the outset whether the dispute will be a difficult one. It's worthwhile seeking advice at an early stage before a crisis develops, particularly in light of the enhanced deadlines for reporting breaches and handling requests.