[BreachExchange] New rules for data protection

[Audrey McNeil]

http://www.lawgazette.co.uk/law/legal-updates/new-rules-for-data-protection/5054463.fullarticle

In the UK there is currently no legal obligation under the Data Protection
Act 1998 (DPA) to report personal data breaches to anyone. However, the
Information Commissioner’s Office (ICO) guidance recommends that serious
breaches should be brought to its attention.

Last year telecoms company TalkTalk was the subject of a cyber-attack in
which almost 157,000 customers’ personal details were hacked. The company
was criticised for its slow response, especially the time it took to inform
the ICO and customers.

The new EU General Data Protection Regulation contains an obligation on
data controllers to notify supervisory authorities of personal data
breaches. In some cases this extends to the data subjects as well. This
will have a big impact on data controllers in both the public and private
sectors. The regulation will replace all data protection legislation in EU
member states (including the UK’s DPA) without the need for further
national legislation.

Article 4 of the regulation defines a personal data breach as: ‘A breach of
security leading to the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to, personal data
transmitted, stored or otherwise processed.’

Article 31 of the regulation states that as the data controller becomes
aware that a personal data breach has occurred they should, without undue
delay and, where feasible, not later than 72 hours after becoming aware of
it, notify the personal data breach to the competent supervisory authority
(the ICO in the UK).

There is no need to do this where the controller is able to demonstrate
that the breach is unlikely to result in a risk for the rights and freedoms
of individuals – for example, a very minor data breach involving innocuous
information about a few people. Where the 72-hour deadline cannot be
achieved, an explanation of the reasons for the delay should accompany the
notification.

Notification contents

The notification must contain the following minimum information:

- a description of the nature of the personal data breach including, where
possible, the categories and approximate number of data subjects and data
records concerned;
- the name and contact details of the controller’s data protection officer
(now a statutory position) or other contact point where more information
can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, by the
controller to address the personal data breach, including, where
appropriate, measures to mitigate its possible adverse effects.

Where it is not possible to provide the above information at the same time,
the information may be provided in phases without undue further delay.

The new regulation will require all personal data breaches, no matter how
insignificant, to be documented by data controllers. This should include
the facts surrounding the breach, its effects and the remedial action
taken. This documentation must enable the supervisory authority to verify
compliance with article 31. Some, if not all of it, will also be accessible
via freedom of information requests, as many local authorities have already
found.

Individual rights

Article 32 of the new regulation states that data subjects should be
notified without undue delay if the personal data breach is likely to
result in a high risk to their rights and freedoms (for example, fraud or
identity theft), in order to allow them to take the necessary precautions.
The notification will be similar to the one made to the supervisory
authority. It should describe, in clear and plain language, the nature of
the personal data breach as well as recommendations for the individuals
concerned to mitigate potential adverse effects.

Notifications to individuals should be made as soon as reasonably feasible,
and in close cooperation with the supervisory authority and respecting
guidance provided by it or other relevant authorities. For example, the
need to mitigate an immediate risk of damage would call for a prompt
notification, whereas the need to implement appropriate measures against
continuing or similar data breaches may justify a longer delay.

There is no need to communicate a personal data breach to individuals if:

a) the data controller has implemented appropriate technical and
organisational protection measures, and those measures were applied to the
data affected by the personal data breach, in particular those that render
the data unintelligible to any person who is not authorised to access it,
such as encryption; or

b) the controller has taken subsequent measures which ensure that the high
risk for the rights and freedoms of data subjects is no longer likely to
materialise; or

c) it would involve disproportionate effort. In such a case, there will
instead have to be a public communication (for example, a press release) or
similar measure whereby the data subjects are informed in an equally
effective manner.

Even where a data controller has chosen not to inform data subjects, the
supervisory authority can instruct it to do so. No doubt there will be more
detailed rules setting out what kinds of breach require notification and to
whom.

Compensation

Currently the ICO can issue fines (monetary penalty notices) of up to
£500,000 for serious breaches of the DPA. When the regulation comes into
force, this will be increased to 4% of global annual turnover for the
preceding year (for businesses) or €20m.

The regulation contains a right to civil damages, as under section 13 of
the DPA. Article 77 of the regulation states: ‘Any person who has suffered
material or immaterial damage as a result of an infringement of the
regulation shall have the right to receive compensation from the controller
or processor for the damage suffered.’

This may see more data subjects take legal action against data controllers
for data breaches. There may even be more class actions like the one
against the London borough of Islington in 2013, when 14 individuals
settled for £43,000 in compensation after personal data was disclosed
without their authority. This action followed an ICO investigation which
resulted in the council being fined £70,000 under the DPA.

The Network and Information Security Directive will also have a big impact
on some UK business. It will impose new network and information security
requirements on operators of essential services and digital service
providers. These include banks, energy companies, healthcare providers and
cloud services. Their obligations will include a requirement to report
certain security incidents to competent authorities or computer security
incident response teams (to be established by each member state).

The directive will be formally adopted this spring, leaving the UK and
other member states two years to bring in national laws to implement it.

All organisations should be examining their approach to data breaches now
and be putting into place processes to comply with the new rules.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160404/41ba4160/attachment-0001.html>