The Data Protection Act - Personal Data Breaches
Reporting and Consequences
With an estimated 10 billion records being breached in 2019, as well as 2,795 personal data breach reports being received by the UK’s Information Commissioner’s Office (ICO) in the third quarter of 2019 alone, it seems that not a day can go by without hearing of a newly discovered data breach.
As the quantity of breached data continues to grow and the average annual cost to businesses suffering from a breach ballooning to £4,180, organisations are increasingly held to account for security failures. From the ICO’s ability to hand down prodigious fines, to the irreversible reputational damage that can be caused by the disclosure of a breach, information security has never been more important.
Failure to Comply with the Data Protection Act 2018
In the first 8 months following GDPR there were 10,600 data breach notifications made to supervisory authorities across Europe, and though many of these notifications may have been in relation to a personal data breach, the answer to the question ‘what is a breach of data protection?’ does not just relate to ‘data breaches’.
Though many of the instances we hear of are ‘personal data breaches’ (wherein personal data is disclosed, altered or lost without authorisation), a breach of the Data Protection Act may also include failure to properly comply with, for instance, any of the seven principles of data protection set forth by the DPA.
These principles are in part established to help ensure organisations do not act in a manner that leads to a breach of personal data, but to also enforce the data rights of individuals. As such, failure to adhere, for example to principle 1 (lawfulness, fairness and transparency) would qualify as a breach of data protection without the occurrence of a personal data breach.
What Qualifies as a Personal Data Breach?
Though it may seem straightforward, as with many technical matters, it is worth taking the time to properly define a term; in this case ‘personal data breach’. As defined and explained by the Information Commissioner’s Office, a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”
With this working definition, a personal data breach can encompass a variety of incidents, including; the accidental sending of personal data to an incorrect recipient, unauthorised access by a third party, the loss of hardware containing personal data, or the loss of availability of personal data.
The Seven Principles of the Data Protection Act
Often considered to be the most significant development to the key principles of data protection is the addition of the ‘Accountability’ principle which places a renewed responsibility upon organisation to take measures to not only secure the personal data with which they work, but to also justify and document their decisions and actions.
Having replaced the former eight principles laid forth by the DPA 1998, the seven principles of the DPA 2018 are outlined below.
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
Further explanations for these principles can be found here: What are the Eight Principles of the Data Protection Act?
The Information Commissioner can, for the most serious of data protection violations, levy a maximum fine of 20 million Euros or 4% of the total annual worldwide turnover (of the preceding financial year), whichever is higher.
When does a Data Breach need to be Reported?
There are certain events organisations are required to report to the relevant authority, in the case of the UK: The Information Commissioner’s Office (ICO).
Before rushing to report an incident, it is recommended that you first consider the likelihood and severity of risk that a breach poses to rights and freedoms of individuals, following the incident.
- Should a personal data breach occur, you are required to report the event to the relevant supervisory authority within 72 hours of the breach becoming known.
- If the breach is likely to result in ‘adverse effects upon the rights and freedoms of data subjects’, then those individuals must be informed “without undue delay.”
- You must also ensure that there are “robust breach detection, investigation and internal reporting procedures in place” to mitigate the risk and chance of a personal data breach occurring.
To help in understanding your responsibility to report an incident, the ICO offers a Self-Assessment process to determine whether an incident needs reporting. Taking an approximate 2 minutes to complete, the ICO emphasises that not all breaches need to be reported.
Report a Data Breach
Should an incident be confirmed as a personal data breach by the self-assessment process, your next action should be to communicate with the ICO directly, and without undue delay. The ICO’s reporting page can be found here.
Preventing a Data Breach
With the introduction of the updated data protection legislation, there is a deepened duty for organisation to take responsibility for the personal data with which they work. Though attackers and attacks reported in the media may seem very sophisticated, complicated and difficult to defend against, they often rely upon relatively easily addressed and simple issues.
The following are just some of the methods and practices that can be used to help you and your organisation defend against information security attacks and protect your most valuable asset: your information.
Though it may sound obvious, it is surprisingly common in even the most technologically ‘capable’ organisations that software is not kept properly up-to-date, patched and capable of defending against the ever-changing threat landscape.
Both criminals and researchers work relentlessly to find new vulnerabilities to either exploit or fix. This constant race to find weaknesses is rendered redundant if organisation fail to keep equipment and software current and secure, effectively inviting nefarious actors to exploit organisational weaknesses.
The encryption of data is something upon which we all routinely rely. From the private messages sent within our messenger apps, to the wi-fi signals connecting us to modems, encryption is essential to modern computing and the ensuring of information security.
Under the Data Protection Act 2018, organisations are required to implement appropriate technical and organisational measures to secure personal data. Encryption is one of the main methods for encoding data in such a way to make it inaccessible to unauthorised parties and ensuring the data’s confidentiality.
We’ve all probably been in the difficult situation of having lost an important file or document. Though this can be a mere inconvenience at times, a serious loss of access and availability can be utterly catastrophic to an ill prepared organisation. As such, information security isn’t just about helping to prevent attacks, it’s also about safeguarding information in the event of a successful one.
Just as encryption ensures the confidentiality of information, backing up helps to ensure its availability. Should the worst happen, a ransomware attack occurring, with adequate backups an organisation will have minimised the impact across areas including continuity, information integrity and reputation.
Though there are many technical measures that can be taken to help defend against information security attacks, all organisations should also take the time to invest in the education, awareness and vigilance of their staff.
With 34% of all breaches involving internal actors, businesses can no longer afford to ignore the carelessness and negligence that frequently contribute to the success of an information security attack.
By educating your staff regularly with interactive and knowledge-demonstrating tutorials, you don’t just help to improve compliance, but also reliably reduce the risks of human errors and change the standards of awareness.
Hut Six Information Security Awareness Training
Featuring twenty-six comprehensive tutorials covering all aspects of information and cyber security, Hut Six’s training is focused on demonstrating learning outcomes. With Hut Six’s learning management system (LMS), employers can assess and track the achievements of staff and better understand areas for improvement.
Hut Six’s comprehensive solution builds a security aware culture by focusing on achieving meaningful behavioural change. With engaging training, your organisation’s defences are strengthened against malicious actors, reputational damage and potential fines and losses, whilst satisfying compliance obligations.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
University of California Ransomware Attack: a $1.1.4m ransom has been paid following a ransomware attack on University of California's School of Medicine.
What is the Purpose of the Data Protection Act? Blog by information security awareness training solution provider Hut Six Security.
Top 3 Remote Work Security Lessons: remote work security blog by information security awareness provider Hut Six Security.
Who Regulates the Data Protection Act? Data Protection Blog by Information Security Awareness Training provider Hut Six Security
NHS phishing attack sees email accounts compromised as part of an attack targeting a wide range of organisations Blog by Hut Six Security.
Who Enforces the Data Protection Act? Principles, Protections and Penalties. Blog by Information Security Awareness Training provider Hut Six Security.
How Secure is your Password Process? Password security blog from Information Security Awareness Training provider Hut Six Security.
Who Does the Data Protection Act Apply to? Blog by Information Security Awareness Training and phishing simulator provider Hut Six Security
What Social Engineering Methods do attackers use to get your personal information? Blog by Information Security Awareness Training provider Hut Six Security
What Year Was the Data Protection Act Introduced? - 2018, however it has seen some changes as enforcements have increased.