Previously, on the GDPR Advent Calendar… my client “Nick” has discovered that part of a list recording childrens’ names, addresses and their respective “naughty-” or “nice-”ness over the preceding year, has been subject to a data breach. We have looked at the data breach response plan which Nick’s organisation has in place and while his external data processor (“ELF”) tried to work out what has been happening, we have taken advantage of the interlude to look at some of the basic principles of data protection law.
Now, let’s open Door 4…
First thing on Monday morning, my client calls a meeting. I am there as are several representatives from the External Logistics Force (“ELF”) who identified and (so it seems) are responsible for, the breach. Nick, usually very jolly even at this busiest time of the year, is extremely unimpressed with the lack of clarity about precisely what has happened. While it is in the nature of this sort of breach not to have as much information as might be wanted at an early stage, he is right to be frustrated. ELF seem to have been dragging their feet and as the meeting goes on it emerges that in clearing down the server of the personal data that had been exposed, they have also wiped and reformatted it, deleting valuable information about the nature and duration of the breach which Nick is going to need in order to make a breach notification report to the ICO.
It turns out that backup tapes may be able to assist with piecing together a picture of how serious this breach is. ELF are going to restore these and report back, but all of that is going to take time.
After the meeting, Nick asks me to consider the terms of his organisation’s contract with ELF. He wants to understand precisely what their obligations are in the context of a breach like this. This is particularly relevant under the existing legislation where all liability for any breach rests with the data controller.