Business

GDPR – four simple letters which struck fear into every organisation across Europe in 2018

The impact of the recent PSNI data breach - which saw a document mistakenly shared online which included the names of 10,000 officers and staff, and which ultimately led to the resignation of Chief Constable Simon Byrne - is a sobering illustration for all data processors and controllers of the fallout when things go wrong
The impact of the recent PSNI data breach - which saw a document mistakenly shared online which included the names of 10,000 officers and staff, and which ultimately led to the resignation of Chief Constable Simon Byrne - is a sobering illustration for all data processors and controllers of the fallout when things go wrong

ENFORCED by the Information Commissioner’s Office (the ICO), the General Data Protection Regulations (GDPR), introduced five years ago, brought with it new legal rights for individuals, increased accountability for organisations and significantly larger fines.

It created a robust set of standards applicable throughout the EU for the collection of personal data and gave members of the public greater control over their own personal data.

And despite Brexit, the principles of GDPR are retained in domestic law as the UK GDPR, sitting alongside the Data Protection Act 2018, and remain of huge importance within the UK.

The devastating impact of the recent PSNI data breach provides a sobering illustration for all data processors and controllers of the fallout when things go wrong. The extent of the breach has exemplified the importance of having robust policies and procedures in place to safeguard the data rights of individuals.

It has also highlighted the importance for organisations to have a system in place to deal with any data breach immediately should one occur. It is good practice for businesses to appoint a data protection officer who will oversee ongoing compliance with GDPR and who will be able to assess whether any breach occurring is so serious that it should be reported to the ICO.

In such circumstances, reports to the ICO must be made within 72 hours of becoming aware of the breach. It may also be necessary to inform the data subject(s) involved in the breach who may, in turn, have a cause of action against the organisation which has misused or compromised their data.

The PSNI’s own estimate of the potential cost of the recent data breach, in terms of extra security for officers and potential legal action, is in the region of £240m. Many police officers and policing staff have already launched claims. I am personally representing hundreds of them.

Data breaches will occur. It is inevitable. Something as seemingly innocuous as sending an email to an incorrect recipient can constitute a breach. It is not, however, inevitable that every data breach will lead to a huge fine from the ICO. Whether it be a sophisticated ‘hack’ or a case of human error, the focus of the ICO will be to assess what systems you have in place to mitigate against the risk of a breach and your protocols to deal with a breach.

They will also investigate how the breach occurred, why it happened, and what your organisation has done (or plans to do) to ensure that a similar breach does not happen again.

Whilst the ICO and its equivalent bodies across the EU have handed out some huge fines since the inception of GDPR (the biggest was a fine of €1.2 billion imposed in the Republic on Meta/Facebook), its main objective is not the imposition of fines, but rather to ensure that organisations are treating the data they hold in a responsible and transparent manner.

:: Andrew Morrow (andrew.morrow@mtb-law.co.uk) is a partner in McCartan Turkington Breen Solicitors and an expert in data protection law