Data breach fines but what about reputation?

With the General Data Protection Regulation (GDPR) being in force for over a year now, having brought confusion and fuss to businesses which the threat of fines running into the millions.

Businesses rushed to make sure they were compliant with GDPR and have the correct policies and notices in place in order to avoid these hefty fines. The question that has constantly come up is whether it is important to be GDPR compliant and have these policies in place. Well, it certainly is because such data breaches are being more actively watched by the Information Commissioner’s Office (ICO). The ICO are showing their power on imposing fines upon data breaches and without compliant policies and notices in place, these fines can be extraordinary. Recently the ICO have fined British Airways a record £180million, followed by a £100million fine on Marriott last month. Both fines were imposed after hackers stole huge amounts of personal data.

In the wake of these fines, businesses are realising that there is a reputational risk to data breaches as well as the fines. The question is how you can limit the risks of both financial and reputational damages to the business.

Firstly, if a data breach has occurred the ICO must be notified within 72 hours. If the breach poses a high risk, such as the loss of financial information then the affected individuals will need to be notified without undue delay.

Now delays sometimes occur on how to notify these people of the data breach. Generally, this would be by email. However, this really depends on how many people’s data has been breached as IT servers may not physically be able to cope with an email to thousands of people or more in one go. Furthermore, not all customers will have an email address, and some may only answer through postal communications.

This also brings the question as to whether your database holds the correct or up-to-date information in order to notify customers. The ICO do not take delays lightly so be aware. Although it is not a requirement to inform staff of data breaches, it would be wise to notify the customer service and social media teams in order to manage concerns from affected customers. A small tweet from a disgruntled customer can all too quickly travel the world, often gathering pace as it does. The best approach is to make sure the customer service team and your lawyers work together and decide what communication should be included to the customers.

The time of notifying customers is critical especially when there has been a high-risk data breach that could lead to fraud and losses to the customer.

Delaying notification risks reputational damage and could possibly lead to increased fines by the ICO. There is a balance though; you need to be aware of the full extent of the breach before informing everyone. It can be a fine line, and again, your lawyers and communications team are best placed to advise.

When considering whether to dish out a fine and in what magnitude, the ICO will undoubtedly look at how the breach occurred and how it could have been prevented. But it will also look at the steps you took to remedy and mitigate the consequences of the breach. This is important when considering financial and reputational damage.

Complying with GDPR is important, but businesses should also have a plan in place in case of a data breach – because reputational damage can hit just as hard as the legal implications.

However, if you would like to know more or currently have an issue regarding a data breach, we would be happy to assist. Briffa advises on all aspects of data protection and IP, and we offer free consultations to all new clients. If you would like to book a call or a meeting with one of our specialists, please contact info@briffa.com or 020 7096 2779.

Written by Hasnath Ahmed, Solicitor