The average cost to UK businesses of a data breach rose by 7% over the last two years to £2.37m, while the average cost of a lost or stolen record is £104. That’s according to research into 39 UK-based companies in 12 sectors carried out by The Ponemon Institute in association with IBM.
These costs could rise after the introduction of the General Data Protection Regulation (GDPR), the EU’s first major overhaul of data protection legislation in two decades, set to be introduced in 2017. The GDPR will bring in a single set of rules across Europe for every company that handles the personal data of European citizens, potentially huge fines for data security breaches and new rights for individuals to control the information held about them.
“Any business that operates from within the EU, does business with companies inside the EU, stores its data in EU member countries or handles the personal data of European citizens will be affected,” says John Culkin, director of information management at Crown Records Management.
Agreement on the draft Regulation is expected by early 2016, although the GDPR will not become law until 2017 or early 2018. But with the underlying principles already agreed, businesses should start taking steps now to overhaul data management policies, processes and systems.
“Preparing for the Regulation is a bigger job than many people realise. The changes will be significant,” says Culkin. But before practitioners can advise their clients on the changes, they need to have a full grasp of the proposed new measures, or they could land themselves – and their clients – in financial and reputational hot water. According to a Crown Records Management survey, a quarter of accountants are unaware of the GDPR, with many more unprepared.
“The overriding theme of the GDPR is accountability,” says Robert Lands, head of intellectual property at law firm Howard Kennedy. Any business that handles personal data will have increased responsibility for the management and audit of that data, including the requirements to keep detailed records of processing operations and to carry out privacy impact assessments, before rolling out new products or services which may affect personally identifiable information.
“They will also have a duty to ensure that good training and watertight policies around data protection are in place,” says James Mullock, partner specialising in data protection at law firm Bird & Bird.
The current requirement to register with the Information Commissioner will be scrapped. “The emphasis will be on greater documentation requirements for companies,” says Lands. Organisations of a certain size – probably those with more than 250 employees, but also smaller ones if they hold more than 5,000 personal data records – will have to appoint a data protection officer.
There will be key changes to the way in which companies can use and store personal data, including stricter requirements for obtaining consent to collect and process data. Generally, data subjects will need to give an “unambiguous” consent. “For sensitive personal data such as medical records, they will need to give ‘explicit’ consent, which requires a positive action by the person,” adds Oliver Smith, data protection and intellectual property lawyer at Keystone Law.
Individuals will have “subject access” rights to view information held about them and the right to request it be edited. They will also be given the “right to be forgotten” (the “right of erasure”) – they will be able to request that companies delete personal data that is no longer relevant, or personal data that is not required for the purpose it was obtained. “This can apply particularly to publicly available information which may be true but embarrassing and irrelevant,” Smith explains. This right currently only applies to data processed within the EU – so data deleted on google.co.uk can still be found on google.com – but it will be extended worldwide for all data held about EU residents.
Businesses will also be required to report data security breaches, to regulators and potentially to those affected, “without undue delay”. And the threat of data breaches will no longer be a concern just for data controllers (data owners). “Data processors – any company or individual that processes personal data [controlled by someone else] – will now also be held responsible for its protection. This includes third parties such as cloud providers,” says Nick Pollard, UK general manager for digital forensics experts Guidance Software.
One of the most controversial proposals is the plan to significantly increase the fines for breaching the regulations, for example for failure to have lawful consent to process data or for failure to notify security breaches. Currently, the Information Commissioner’s Office has the power to levy a fine of up to £500,000. In future, administrative fines for non-compliance could be as high as 4% of a company’s global annual turnover. “The potential increase in liability will be enormous for larger organisations,” says Lands.
Companies that suffer data breaches will also be liable to provide “unlimited” compensation to those affected and may face significant loss of business as the fines will be made public. The new regulations also contain provisions that will make it easier for customers to enter into class actions if a data breach causes them harm or loss. “I expect more litigation to arise as a result of the new regulations,” says Mullock.
In preparation for the new regulations, the best thing that practitioners can do is to advise clients to review their existing data protection policies and practices, to ensure that they are compliant under the current legislation, says Jane Berney, technical manager at ICAEW’s Business Law Faculty. Clients should ensure they have up-to-date policies over consent, control and access to information, and whether, if there are any breaches, they can identify and prevent them in future. “If they’ve done that, it’ll be easier to implement the new measures when they become law,” Berney says.
Clients should also be advised to review what personal data they are processing, and whether they need to be processing it. They need to identify exactly where data is stored, too. “This could be a real challenge considering the proliferation of personal devices in use, virtual and cloud services such as Dropbox and Evernote, and the ease with which data can be shared via email and social media,” says Pollard.
They need to check if the data is held entirely within the EU and if not, whether the international transfers are being done lawfully, says Lands. He explains: “Following the recent demise of the ‘Safe Harbor’ scheme which allowed EU businesses to process and store data in the US, there will be an increased focus on the safeguards needed for businesses to lawfully store data outside the European Economic Area.”
Will clients’ current systems be able to cope with the new obligation to report data security breaches “without undue delay”? Culkin says: “The timeframe looks likely to be set at 72 hours, which will be a real challenge for businesses that have not set up adequate processes.”
Will the systems cope with the new rights of individuals and respond to requests made under the “right to be forgotten”?
“Companies will be expected to find and edit large amounts of data quickly, and they will need processes in place for data subjects to make those requests,” Culkin says. Smith adds that data may need to be processed differently, with more metadata to make it possible to identify and remove data on particular individuals.
“Clients will also need to overhaul their systems to ensure consent for processing data is unambiguously given, ideally by a positive act (such as ticking a box) which is compulsory for sensitive data, or otherwise proceeding in the circumstances where the necessary consent statement is extremely prominent and clear,” adds Smith.
Lands recommends practitioners advise clients to check contracts with IT suppliers and other companies which might process personal data about the clients’ staff or customers. “Those contracts must contain clauses which deal specifically with personal data, limiting the use of that data; they should also contain an obligation on the supplier to immediately inform the client of any breach of security, loss or damage to the personal data,” he explains.
The policies and systems should be reviewed with a view to implementing a “privacy by design” approach to all projects and processes, sums up Culkin. He adds: “It means data protection should be at the heart of everything.”