The Data Protection Act – Personal Data Breaches, Reporting and Consequences

With an estimated 10 billion records being breached in 2019, as well as 2,795 personal data breach reports being received by the UK’s Information Commissioner’s Office (ICO) in the third quarter of 2019 alone, it seems that not a day can go by without hearing of a newly discovered data breach.

As the quantity of breached data continues to grow and the average annual cost to businesses suffering from a breach ballooning to £4,180, organisations are increasingly held to account for security failures. From the ICO’s ability to hand down prodigious fines, to the irreversible reputational damage that can be caused by the disclosure of a breach, information security has never been more important.

Failure to Comply with the Data Protection Act 2018

In the first 8 months following GDPR there were 10,600 data breach notifications made to supervisory authorities across Europe, and though many of these notifications may have been in relation to a personal data breach, the answer to the question ‘what is a breach of data protection?’ does not just relate to ‘data breaches’.

Though many of the instances we hear of are ‘personal data breaches’ (wherein personal data is disclosed, altered or lost without authorisation), a breach of the Data Protection Act may also include failure to properly comply with, for instance, any of the seven principles of data protection set forth by the DPA.

These principles are in part established to help ensure organisations do not act in a manner that leads to a breach of personal data, but to also enforce the data rights of individuals. As such, failure to adhere, for example to principle 1 (lawfulness, fairness and transparency) would qualify as a breach of data protection without the occurrence of a personal data breach.

What Qualifies as a Personal Data Breach?

Though it may seem straightforward, as with many technical matters, it is worth taking the time to properly define a term; in this case ‘personal data breach’. As defined and explained by the Information Commissioner’s Office, a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”

With this working definition, a personal data breach can encompass a variety of incidents, including; the accidental sending of personal data to an incorrect recipient, unauthorised access by a third party, the loss of hardware containing personal data, or the loss of availability of personal data.

The Seven Principles of the Data Protection Act

Often considered to be the most significant development to the key principles of data protection is the addition of the ‘Accountability’ principle which places a renewed responsibility upon organisation to take measures to not only secure the personal data with which they work, but to also justify and document their decisions and actions.

Having replaced the former eight principles laid forth by the DPA 1998, the seven principles of the DPA 2018 are outlined below.

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

Further explanations for these principles can be found here: What are the Eight Principles of the Data Protection Act?

Fines

The Information Commissioner can, for the most serious of data protection violations, levy a maximum fine of 20 million Euros or 4% of the total annual worldwide turnover (of the preceding financial year), whichever is higher.

When does a Data Breach need to be Reported?

There are certain events organisations are required to report to the relevant authority, in the case of the UK: The Information Commissioner’s Office (ICO).

Before rushing to report an incident, it is recommended that you first consider the likelihood and severity of risk that a breach poses to rights and freedoms of individuals, following the incident.

Responsibilities

  • Should a personal data breach occur, you are required to report the event to the relevant supervisory authority within 72 hours of the breach becoming known.
  • If the breach is likely to result in ‘adverse effects upon the rights and freedoms of data subjects’, then those individuals must be informed “without undue delay.”
  • You must also ensure that there are “robust breach detection, investigation and internal reporting procedures in place” to mitigate the risk and chance of a personal data breach occurring.

To help in understanding your responsibility to report an incident, the ICO offers a Self-Assessment process to determine whether an incident needs reporting. Taking an approximate 2 minutes to complete, the ICO emphasises that not all breaches need to be reported.

Report a Data Breach

Should an incident be confirmed as a personal data breach by the self-assessment process, your next action should be to communicate with the ICO directly, and without undue delay. The ICO’s reporting page can be found here.

Preventing a Data Breach

With the introduction of the updated data protection legislation, there is a deepened duty for organisation to take responsibility for the personal data with which they work. Though attackers and attacks reported in the media may seem very sophisticated, complicated and difficult to defend against, they often rely upon relatively easily addressed and simple issues.

The following are just some of the methods and practices that can be used to help you and your organisation defend against information security attacks and protect your most valuable asset: your information.

Software

Though it may sound obvious, it is surprisingly common in even the most technologically ‘capable’ organisations that software is not kept properly up-to-date, patched and capable of defending against the ever-changing threat landscape.

Both criminals and researchers work relentlessly to find new vulnerabilities to either exploit or fix. This constant race to find weaknesses is rendered redundant if organisation fail to keep equipment and software current and secure, effectively inviting nefarious actors to exploit organisational weaknesses.

Encryption

The encryption of data is something upon which we all routinely rely. From the private messages sent within our messenger apps, to the wi-fi signals connecting us to modems, encryption is essential to modern computing and the ensuring of information security.

Under the Data Protection Act 2018, organisations are required to implement appropriate technical and organisational measures to secure personal data. Encryption is one of the main methods for encoding data in such a way to make it inaccessible to unauthorised parties and ensuring the data’s confidentiality.

Backing Up

We’ve all probably been in the difficult situation of having lost an important file or document. Though this can be a mere inconvenience at times, a serious loss of access and availability can be utterly catastrophic to an ill prepared organisation. As such, information security isn’t just about helping to prevent attacks, it’s also about safeguarding information in the event of a successful one.

Just as encryption ensures the confidentiality of information, backing up helps to ensure its availability. Should the worst happen, a ransomware attack occurring, with adequate backups an organisation will have minimised the impact across areas including continuity, information integrity and reputation.

Educating Staff

Though there are many technical measures that can be taken to help defend against information security attacks, all organisations should also take the time to invest in the education, awareness and vigilance of their staff.

With 34% of all breaches involving internal actors, businesses can no longer afford to ignore the carelessness and negligence that frequently contribute to the success of an information security attack.

By educating your staff regularly with interactive and knowledge-demonstrating tutorials, you don’t just help to improve compliance, but also reliably reduce the risks of human errors and change the standards of awareness.

Hut Six Information Security Awareness Training

Featuring twenty-six comprehensive tutorials covering all aspects of information and cyber security, Hut Six’s training is focused on demonstrating learning outcomes. With Hut Six’s learning management system (LMS), employers can assess and track the achievements of staff and better understand areas for improvement. 

Hut Six’s comprehensive solution builds a security aware culture by focusing on achieving meaningful behavioural change. With engaging training, your organisation’s defences are strengthened against malicious actors, reputational damage and potential fines and losses, whilst satisfying compliance obligations.