Clock is Ticking on GDPR - The Danger of Data Breaches

In Europe, the data subject gives a company to whom we provide our data the rights to use that information for a specific and stated purpose. Just because a company collects that data and pays for the storage and processing of that data to provide us with a service does not give a company the right to use that information for any other purpose than the one they intended or that they told us it would be used for.

So let’s take a real life example: if you sign up for a bank account or insurance policy you may read in the small print (and I am paraphrasing) “tick here if you are OK with us sending you details of offers or marketing.”

If the data subject does not tick that they want to opt in and their data is still used to provide marketing information, then that is a breach. That is certainly not a €20 million data breach but that is an example of using data inappropriately and without the right to use it.

What is a Serious Data Breach?

What is a €20 million breach?

More serious breaches include those where the company processing the data (the data controller or the data processor in technical terms) is not protecting Personal Data from misuse or theft. Under GDPR, which comes into force on the 18th May 2018, there are two classes of Personal Data, Personal Data being information that can identify a living individual, which includes name, address, telephone number, email address and even IP address. This data can include unstructured information such as a notes field if it contained something like “the woman from 12 High Street, who owns the red car”, if there is one woman living at number 12, or only one red car owner, or only one person living at number 12, then this information identifies a living individual.

Personal, sensitive data is information that relates to things like union membership, medical data, sexual preferences of the data subject, GPS or location information and biometrics. Anything that falls into one of those categories must be protected more rigorously.

Both Personal Data and Personal Sensitive Data requires protection from misuse, which can occur within the organisation that has collected the data and has a right to use it for a purpose. Organisations also have a duty to protect their data from being hacked while being the victim of a data breach. An example of what the Information Commissioner’s Office - the data authority in the UK - might consider to be a €20 million breach, for example is when unencrypted data is hacked.

If a company accidentally releases the data out on a webserver that anyone can access or worse still allows the data to be indexed by Google these would be considered gross breaches of personal data and information.

Having taken the appropriate measures to protect the Personal Data under its control, businesses also need to ensure that they have a response plan in place, that details how they respond to a data breach. An effective approach to governance will allow the Data Protection Officer to understand the nature of the breach and inform the relevant authority of nature and severity of the breach within the GDPR mandated 72 hours. This is an important role and one that should properly be entrusted to a co-sourcing partner like Fifth Step to ensure all the appropriate steps are taken quickly.

A Chief Information Officer Responsibility?

There is some debate in the IT community as to whether CIO can also be the data protection officer? My view is that CIOs can’t do both roles because of the poacher and gamekeeper scenario: they are responsible for restoring, and need appropriate challenge. That is another reason why we believe the virtual data protection officer service that Fifth Step offers is valuable to companies.

The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA. The GDPR provides the following rights for individuals:

1. The Right to be Informed
2. The Right of Access
3. The Right to Rectification
4. The Right to Erasure
5. The Right to Restrict Processing
6. The Right to Data Portability
7. The Right to Object
8. The Right to Manual Processing

These are the key rights that a data subject can ask to be enforced. Insurance companies need a business process and the right systems in place to cope with these demands. Remember, the GDPR comes into force the 18th May so the clock is ticking.

Darren Wray