The General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and brings with it new and improved regulatory powers for the Information Commissioner’s Office (ICO).
What will this mean for businesses facing a data breach under the new GDPR regime?
When to inform the ICO of a data breach
Under the current Data Protection Act the ICO expects to be informed about serious breaches of data protection. This is to change under the GDPR. A breach notification will be mandatory and any personal data breach must be notified to the ICO within 72 hours of awareness and to the individual affected “without undue delay”.
As a result, organisations will be required to amend their internal processes relating to the handling of data breaches to ensure that the notification requirement is complied with.
Upon receipt of a notification or information concerning a data breach under the GDPR, the ICO is provided with increased powers of investigation including:
- ordering the controller and the processor to provide information necessary to perform its tasks;
- carrying out a data protection audit;
- reviewing certificates;
- notifying the controller or processor of any alleged infringement of the GDPR;
- obtaining from controller or processor access to all personal data and all information necessary to perform its tasks; and
- obtaining access to any premises of controller and processor including data processing equipment.
The ICO may also take corrective measures when investigating a data breach. Some of the corrective powers that can be imposed by the ICO could have a considerable impact on the day-to-day running of a business. Such corrective measures include:
- Issuing warnings to a controller or processor that intended processing operations are likely to result in infringement of the GDPR.
- Issuing reprimands to a controller or processor where processing operations have infringed provisions of the GDPR.
- Ordering the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to the GDPR.
- Ordering the controller or processor to bring processing operations into compliance with the GDPR.
- Ordering the controller to communicate a personal data breach to the data subject.
- Imposing a temporary or definitive limitation including a ban on processing.
- Ordering the rectification, restriction or erasure of personal data.
- Withdrawing a certification or ordering a certification body not to issue a certificate.
- Imposing administrative fines.
- Ordering the suspension of data flows to a recipient in a third country or to an international organisation.
In addition to control measures, the GDPR also provides the ICO with stronger enforcement powers and powers to impose higher monetary penalties. The ICO will have the power to issue hefty fines of up to €20 million (approximately £17 million) or up to 4% of an organisation's annual global turnover. The GDPR splits the fines into two groups.
1) The organisation will be subject to the maximum fine of up to €20 million, or up to 4% of the organisation's global annual turnover, whichever is higher, where the following provisions have been infringed:
- the basic principles for processing data (including conditions of consent);
- the data subject's rights;
- the transfers of personal data to a recipient in a third county or an international organisation;
- any obligations pursuant to adopted member state law; and
- non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows.
2) The organisation will be subject to the maximum fine of up to €10 million, or up to 2% of an organisation's global annual turnover, whichever is higher, if an organisation infringes the requisite provisions relating to the obligations of: the controller and the processor, the certification body, or the monitoring body.
The obvious concern is that such high fines may have a serious impact on the health of a business. However, whilst each fine is to be “effective, proportionate and dissuasive”, the facts of each individual case will be taken into account as will mitigating factors such as the nature, gravity and duration of the breach, timing of the notification to the ICO, degree of co-operation from the organisation with the ICO and compliance with corrective measures.