By now most of us are aware that the General Data Protection Regulation (GDPR) is coming into force in May 2018, and this will involve a range of new duties and obligations on employers. Among the changes is a new duty to self-report data breaches - and the potential penalties for failing to do so, or for committing any other serious breaches of the GDPR, are eye-watering. Data breaches can also have wider reputational and financial consequences. Only last week, Morrisons was held vicariously liable for the actions of an employee who deliberately disclosed personal information about its staff. Over 5000 employees are claiming compensation for the distress caused by their salary details being posted online.
In this Law-Now we explain what will change under the GDPR in relation to the breach reporting process, the more onerous enforcement regime, and the steps employers should take to prepare for change.
Breach reporting under the GDPR
No one likes to report their own wrong-doing. Yet the risk attached to not doing so is now higher than ever. Once the GDPR is in force, data controllers and data processors will need to notify the ICO of all data breaches without undue delay. A data breach is:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
The timescale for reporting such a breach is 72 hours from becoming aware of the default, which could be a tall order if you happen to find out about it at 5:00pm on a Friday. Any delay will require a convincing ‘reasoned justification’ to the ICO - the bar for this is likely to be set high. It’s also important to note that for the first time data processors will also be required proactively to notify the data controller of their data breaches. A notification to the ICO can however be avoided where the breach is unlikely to result in a real risk to the data subjects concerned. Assessing whether that is the case will need careful, case-by-case analysis.
In addition if the breach is serious and is likely to result in a high risk to the rights of the data subjects involved (in an employment situation, the employees), then the data controller (the employer) must also communicate the personal data breach to the individuals concerned without undue delay.
Enforcement and penalties
Inevitably there is one question all business stakeholders want to know when a legal breach has been identified – how much are we on the hook for?
Under the current regime, the ICO can impose a fine on data controllers of up to £500,000. However, the penalties under GDPR have the potential to blow this out of the water. For “Tier 1” data breaches (those of a most serious nature), the ICO will be able to impose a financial penalty of up to €20million or 4% of worldwide annual turnover (whichever is the higher). For less serious “Tier 2” breaches, the cap is reduced to the not insubstantial €10million or 2% of worldwide annual turnover. These are in addition to a host of other options open to the ICO, including criminal prosecution and non-criminal enforcement (e.g. data protection audits).
Quite aside from any action taken by the ICO, there is of course also the issue of the brand damage that can result from a publicised data breach, not to mention any internal reputational harm where a Human Resources team is identified as the responsible party. Brand damage could be particularly harmful in sectors such as health and information technology, where data protection is an important perennial issue. It is crucial for clear rules to be set and disciplinary action to be taken appropriately in order to achieve a culture of compliance in which individual and organisational data protection responsibilities are taken seriously by all. How would your security processes deal with a rogue employee?
An important factor to consider in light of the Morrisons case mentioned above is if your organisation is sufficiently protected from rogue employees. If an employee in your business wanted to bypass security procedures, how easy would this be? Most data security breaches involve accidental human error. However, the Morrisons case was different because the employee deliberately leaked data. The ruling of the case creates an additional layer of risk for employers.
Morrisons was held vicariously liable for the actions of an employee who had disclosed the personal information of around 100,000 colleagues on the internet. While the disclosure had taken place outside working hours and from the employee's personal computer, the High Court considered that there was a sufficient connection between the position in which he had been employed and his wrongful conduct to make it right for the employer to be liable.
Criminal prosecutions for breach
We have also seen a recent case of the ICO bringing a criminal prosecution against a charity employee (rather than the charity itself) for a data breach, highlighting the tougher stance the ICO is already starting to take – even in relation to individuals. This looks set to continue once the GDPR comes into force, given the focus it will put on the ICO acting consistently with other countries’ often much stricter regulators.
What steps should HR teams take to plan ahead?
- The ICO has highlighted that it expects organisations to be taking action now to review the roles, responsibilities and processes in place for breach reporting. There are detailed formal notification requirements that need to be followed. Organisations will need to have a data breach register and formulate a data breach response plan to enable them to respond promptly to a breach.
- It would be advisable to link in with your IT and risk teams to discuss whether there are any additional security protocols which should be put in place to minimise the risk of rogue employees.
- HR teams should be trained on the new rules regarding data breaches and the organisation’s internal response plans.