During a speech last year at the Federal Trade Commission, Barack Obama said “If we are going to be connected, then we need to be protected.” This sentiment is one that is shared across the Atlantic. However, despite the increasing fluidity with which data flows across borders, there remains a lack of harmonisation of data protection laws across the Member States and beyond. This may all be about to change, with the text of the much debated General Data Protection Regulation (‘GDPR’) finally agreed to in December 2015 by the EU Commission, Parliament and Council of Ministers. The GDPR now awaits formal adoption by the European Parliament and Council, and will become applicable in each member state two years thereafter.
One of the key changes that will come into place is a requirement on data controllers to put in place data breach notification systems in the event of breach leading to loss of personal data.
In line with this obligation, organisations that have discovered security breaches are to notify the relevant Data Protection Authority without undue delay and, where feasible, within 72 hours. An exception is allowed for breaches which are unlikely to result in a risk to the rights and freedoms of individuals. The enterprise also needs to notify any individuals affected without undue delay if the breach is likely to result in a high risk to their rights and freedoms. The notice should include details about the mitigating steps taken and contain details about who to contact for more information.
One of the most common forms of data breach is through a malicious external cyber-attack. Many large businesses and their customers have been affected by such security breaches in the past and it will become an ever-growing trend if steps are not taken to tighten cyber and information security. There have been several high-profile breaches recently. For example, TalkTalk suffered a ‘significant and sustained’ cyber-attack in 2015 which resulted in the loss of 157,000 customers’ data, including bank details for 15,000 customers. More recently on 29 January 2016 the American department store, Neiman Marcus, notified 5,200 customers who had been potentially affected by a breach of their online accounts. This particular breach highlighted the vulnerabilities of relying only on usernames and passwords for online authentication.
In parallel, the spiraling growth of the Internet of Things and the volume of data being held by companies means that the issue of cyber security and data protection needs to be on the forefront of every organisations’ agenda. A data security breach not only heightens the risk of identity theft but can cause significant reputational and financial damage to a business.
The new requirements under the GDPR mean that it is essential, now more than ever, that a company has an incident management strategy in place which has been tested to ensure it is effective.
This is where effective legal advice can play a vital role. Legal advisors will be able to guide you as to your obligations around data and cyber protection and assess the risks to your business if you don’t meet these obligations. In the event of a breach, the legal team can help you to manage and process claims efficiently and assist you in dealing with any enforcement action by regulators. Other preventative measures can be taken. Such steps could include: stress testing the system to assess its resilience to attack, and should such an attack occur, many providers offer assistance with the notification process, including providing mailing services, building custom websites and public advertising and setting up dedicated contact centres to answer questions from affected individuals.
Whilst the finalisation and implementation of the GDPR will increase the regulatory burden on companies, it will at least bring with it certainty and consistency of security standards across Europe. If you have any concerns about how these changes could affect your business or organisation then Shepherd and Wedderburn can advise you on the new requirements, and on the best route to follow in respect of e-discovery, with both the legal and the technical support assisting you through the steps highlighted above.
If you would like to receive more information, or to discuss any of the issues raised, please contact John MacKenzie, Guy Harvey or Nicola Perry.