The impending arrival of the EU General Data Protection Regulation is requiring businesses to implement changes. Find out more in our mini blog series exploring. See our earlier posts here.
Businesses can go to great lengths in ensuring that any personal data they control or process is sufficiently protected, but hackers can always be relied upon to find new and unexpected ways to retrieve any data they desire. Whether or not data controllers or processors are themselves to blame in the event of a data breach, how breaches are dealt with following their detection is of critical importance.
Once the General Data Protection Regulation (GDPR) becomes fully enforceable in May 2018, the concealment of data breaches will be made illegal in all EU member states. Under the GDPR, the maximum fine for noncompliance with data protection authorities will rise to 20 million euros, or 4% of 12-month turnover—whichever is greater.
Failure to adequately report a data breach is already a highly punishable offence in the EU. Under the current legislation of the Data Protection Directive of 1995, the authorities of each EU member state can determine the severity of any fines they impose and hold the right to impose fines independent of the actions of other member state authorities.
In the UK, reporting data breaches is not technically mandatory, but for many other EU countries this is already not the case. Concealing a data breach is already illegal in the Netherlands, for example, where the maximum fine to be imposed by data protection authorities is €820,000.
For actively concealing a data breach that occurred in October 2016 for just over a year, the global transportation company Uber is currently facing fines of such severity. Under the GDPR, however, Uber would likely be fined in the tens of millions at the very least.
The fact that the breach took place in America where Uber is based would not make any difference. When the GDPR comes into effect, it will apply not just to businesses based in the EU but to all businesses that control or process data on EU residents. As Uber’s breach affected the personal data of over 57 million users worldwide—including most active Uber users in the UK—they would be culpable just the same.
To formally report a data breach and avoid the unfavourable circumstances in which Uber would find themselves, businesses must notify their supervisory authority of any data breaches within just 72 hours of discovery. The UK’s supervisory authority under the GDPR will be the Information Commissioner’s Office, who already have a section dedicated to the reporting of data breaches on their website.
Given the increased severity of fines under the GDPR, any businesses currently keeping quiet about data breaches in the past would be wise to come clean now and take the softer sanctions. Reporting a data breach will not excuse any negligence in protecting data in the first place, but any attempts to conceal data breaches once the GDPR comes into effect are only going to make matters worse.
– Freddie Kentish
Leave your email below to stay up to date with our latest tips, tricks and trends on all things business?