The Information Age, Computer Age, Digital Age, or New Media Age: whatever you want to call it, our reliance on information technology in today’s world has provided us with the ability to create and store data at a mind-boggling rate – in the time it took to write the last sentence around 29 million WhatsApp messages were sent.
This exponential growth has led to an intriguing claim: the world’s most valuable resource is no longer oil, but data. Forget digging for black gold, data mining is the modern money-spinner – a process used by companies to turn raw data into useful information. However, the task of storing, managing and gaining value from this data explosion presents businesses with a significant challenge: defending against a potential data protection breach.
From sole traders to multinational corporations, almost all businesses capture and store their customers’ personal details. The value of effective customer data management is compelling: increased sales, better customer retention, effective marketing campaigns, strong customer relationships. Drop the ball on this, however, and businesses expose themselves to potentially damaging data breaches.
So, what exactly is a data protection breach and how might one occur?
According to the Information Commissioner’s Office (ICO), it’s: “a security incident that has affected the confidentiality, integrity or availability of personal data.” This includes:
- Access by an unauthorised third party
- Deliberate or accidental action (or inaction) by a controller or processor
- Sending personal data to an incorrect recipient
- Computing devices containing personal data being lost or stolen
- Alteration of personal data without permission
- Loss of availability of personal data.
Things start getting sticky when this information falls into the hands of people who were not intended to see it – especially if those people have malicious intent. Enter a piece of legislation that dominated the headlines when it was introduced in 2018: the General Data Protection Regulation (GDPR). This progressive reform has modernised the laws that protect the personal information of individuals, replacing blunt data protection instruments across Europe – many of which were first drafted in the 1990s, before we began routinely sharing personal information freely online.
GDPR personal data breaches
Businesses that ignore GDPR rules do so at their peril: according to a recent study, 160,921 personal data breaches were recorded within the EEA between 25 May 2018 and January 2020 – with subsequent fines totalling over €220 million. Let’s take a closer look at the three of the biggest financial penalties dished out so far:
- Google: in January 2019, the French National Commission on Informatics and Liberty fined the tech behemoth €50 million – the biggest GDPR fine to date – for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”. According to the regulator, people were “not sufficiently informed” about how Google collected data to personalise advertising.
- British Airways: in October 2020, the airline was fined £20 million by the ICO for a breach of data protection which affected more than 400,000 customers. BA’s systems were compromised by hackers and then modified to harvest personal details as they were inputted. Originally set at £183 million, the fine was significantly reduced due to the economic impact of COVID-19.
- Marriott International: in July 2019, the ICO issued an intent to fine Marriott International more than £99 million – later reduced to £18.4 million due to COVID-19 – for a major data breach resulting from a cyber-attack that may have compromised the personal details of up to 339 million guests.
Reporting data protection breaches
Article 33 of the GDPR requires organisations that have identified a breach to notify the appropriate supervisory authority within 72 hours of becoming aware of it. However, there is a caveat in the official wording: “where feasible” – the GDPR recognises that it’s not always possible to investigate a breach fully within this tight timeframe. Therefore, it can be reported in phases, provided there is justifiable reasoning for any delay. In such circumstances, the GDPR still expects data controllers to prioritise the investigation, give it adequate resources, and expedite it urgently. What about those affected? If the data protection breach is likely to result in a high risk to their rights and freedoms – such as a cyber-attack that compromises sensitive medical data – they must also be informed without undue delay.
According to the ICO, businesses must provide the following information to the relevant supervisory authority when reporting a breach:
- A description of the nature of the personal data, how many people have been affected and the type of personal data compromised.
- The name and contact details of your data protection officer (if you have one) or another contact who manages data protection within the business.
- A description of the potential impact and consequences of the breach.
- A description of the measures taken or proposed to be taken to handle the breach.
Having reported the breach, the investigating authority will inform you promptly if they are satisfied with your actions. If they suspect a GDPR violation, however, you will become subject to a formal investigation, which may take several months to complete. If after that time they deem the breach to constitute a criminal offence, they may then instigate a criminal investigation.
Failure to report a breach of data protection is a violation of the GDPR and is punishable by a fine: up to 10 million euros or 2 percent of your global turnover – whichever is higher. Fines are often a last resort, only issued for egregious or repeat offences – although each country’s supervisory authority can administer the GDPR provisions as it sees fit. Other disciplinary action might include enforcement actions and compliance audits.
Our ever-growing reliance on – and ability to create – online data was in danger of descending into a digital wild west before the introduction of the GDPR. And while this is not a silver bullet, its contents are long overdue, providing detailed requirements for businesses on collecting, storing and managing personal data. Ensure peace of mind for your business and its customers by taking the time to understand your GDPR requirements. It might also be worth considering hiring an outsourced cyber security services provider to help you defend yourself from a data protection breach.