Data Protection Expert Explains How The New GDPR Would Impact Breach
As the Independent Parliamentary Standards Authority (IPSA) investigates a “serious data breach” which saw details of MPs’ staff names and salaries wrongly posted on the internet, experts at Irwin Mitchell examine the potential impact new data protection reform would have on an organisation.
The organisation’s Chief Executive, Marcial Boo, informed MPs that “extremely sensitive personal information” about parliamentary staff had been mistakenly published on its old website.
The information published in error contained confidential personal information about MPs’ staff names, salaries, rewards, working patterns and holiday entitlements.
The confidential information remained online for around four hours before being removed by IPSA “within an hour” of it being notified of the breach.
The watchdog, which says it takes information security “very seriously”, is currently investigating how the information was made public and will directly contact all those affected by the breach.
The General Data Protection Regulation comes into force on 25 May 2018 and will affect all companies who use personal data. Under the rules, non-compliance can lead to potential fines of up to €20 million or 4% of annual worldwide turnover, whichever is bigger.
Joanne Bone, a Partner at Irwin Mitchell specialises in helping organisations comply with, and maximise the potential opportunity of, the new data protection reform.
Expert Opinion
As the law currently stands organisations which suffer data breaches do not legally have to notify those affected. It is often good practice to do so but notification is not currently compulsory. Under GDPR if there is a data breach, which gives rise to a high risk for the rights and freedoms of individuals, it will be compulsory to notify to the Information Commissioners Office (ICO) and the individuals affected within 72 hours.
In view of the short timescale, one thing that all businesses need post GDPR is a detailed contingency plan as to what they will do in the event of any data breach.
If the GDPR was in force now and IPSA was found not to be complaint, there is also the potential for a fine. At the moment the fine in the UK is limited to £500k but post GDPR could be €20m or 4% of global turnover.
Finally there is the possibility for a damages claim if loss suffered as a result. Under the Data Protection Act you used to (until recently following a court decision) have to show financial loss before you could recover for distress. Under GDPR you can recover any loss without showing you have been affected financially.
This is a prime example of the importance of becoming GDPR compliant by the deadline of 25th May 2018. Many organisations are aware of the importance of the new regulations but unfortunately they are not doing enough about it.
All organisations will have different responsibilities when it comes to the new rules and it’s important to recognise that not only is there the stick of having to comply with the rules, there is also a carrot. Taking a proactive approach towards GDPR compliance will potentially offer the benefits of building a trustworthy reputation and potentially enable you to use data to the advantage of your business – helping you save and make money in the long term.
Joanne Bone - Partner
To discuss your business’ GDPR compliance needs and find out how you can start seeing the rewards of good data governance, please contact our GDPR experts.