With the General Data Protection Regulation (GDPR) being in force for over a year now, having brought confusion and fuss to businesses which the threat of fines running into the millions.
Businesses rushed to make sure they were compliant with GDPR and have the correct policies and notices in place in order to avoid these hefty fines. The question that has constantly come up is whether it is important to be compliant GDPR and have these policies in place – well it certainly is because such data breaches are being more actively watched by the Information Commissioner’s Office (ICO). The ICO are showing their power on imposing fines upon data breaches and without compliant policies and notices in place, these fines can be extraordinary. Recently the ICO have fined British Airways a record £180million, followed by a £100million fine on Marriott last month. Both fines were imposed after hackers stole huge amounts of personal data.
The wakes of these fines have made businesses realise that there is a reputational risk to data breaches as well as the fines. The question is how you can limit the risks of both financial and reputational damages to the business.
Firstly, if a data breach has occurred the ICO must be notified within 72 hours. If the breach poses a high risk, such as the loss of financial information then the affected individuals will need to be notified without undue delay.
Now delays sometimes occur on how to notify these people of the data breach. Generally, this would be by email. However this really depends how many people’s data has been breached as IT servers may not physically be able to cope with an email to thousands of people or more in one go. Furthermore, not all customers will have an email address, and some may only answer through postal communications.
This also brings the questions as to whether your database holds the correct or up-to-date information to in order to notify customers. The ICO do not take delays lightly so be aware. Although it is not a requirement to inform staff of data breach, it would be wise to notify the customer service and social media teams in order to manage concerns from affected customers. A small tweet from a disgruntled customer can all too quickly travel the world, often gathering pace as it does. The best approach is to make sure the customer service team and your lawyers work together and decide what communication should be included to the customers.
The time of notifying customers is critical especially when there has been a high risk data breach that could lead to fraud and losses to the customer.
Delaying notification risks reputational damage and could possibly lead to increased fines by the ICO. There is a balance though; you need to be aware of the full extent of the breach before informing everyone. It can be a fine line, and again, your lawyers and communications team are best placed to advice.
When considering whether to dish out a fine and in what magnitude, the ICO will undoubtedly look at how the breach occurred and how it could have been prevented. But it will also look at the steps you took to remedy and mitigate the consequences of the breach. This is important when considering financial and reputational damage.
Complying with GDPR is important, but businesses should also have a plan in place in case of a data breach – because reputational damage can hit just as hard as the legal implications.
However if you would like to know more or currently have an issue regarding a data breach, we would be happy to assist. Briffa advises on all aspects of Intellectual Property and offers free consultations to all new clients. If you would like to book a call or a meeting with one of our specialist IP lawyers, please contact firstname.lastname@example.org or 020 7288 6003.
Written by Hasnath Ahmed, Solicitor