The General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and brings with it new and improved regulatory powers for the Information Commissioner’s Office (ICO).
What will this mean for businesses facing a data breach under the new GDPR regime?
Under the current Data Protection Act the ICO expects to be informed about serious breaches of data protection. This is to change under the GDPR. Where there is a security incident, it should be quickly established whether a personal data breach has occurred and, if so steps should be taken promptly to address it. In respect of a personal data breach, the likelihood and severity of the resulting risk to people's rights and freedoms should be established. If it is likely that there will be a risk then a breach notification will be mandatory and any personal data breach must be notified to the ICO within 72 hours of awareness and to the individual affected “without undue delay”.
As a result, organisations will be required to amend their internal processes relating to the handling of data breaches to ensure that the notification requirement is complied with.
Upon receipt of a notification or information concerning a data breach under the GDPR, the ICO is provided with increased powers of investigation including:
The ICO may also take corrective measures when investigating a data breach. Some of the corrective powers that can be imposed by the ICO could have a considerable impact on the day-to-day running of a business. Such corrective measures include:
In addition to control measures, the GDPR also provides the ICO with stronger enforcement powers and powers to impose higher monetary penalties. The ICO will have the power to issue hefty fines of up to €20 million (approximately £17 million) or up to 4% of an organisation's annual global turnover. The GDPR splits the fines into two groups.
1) The organisation will be subject to the maximum fine of up to €20 million, or up to 4% of the organisation's global annual turnover, whichever is higher, where the following provisions have been infringed:
2) The organisation will be subject to the maximum fine of up to €10 million, or up to 2% of an organisation's global annual turnover, whichever is higher, if an organisation infringes the requisite provisions relating to the obligations of: the controller and the processor, the certification body, or the monitoring body.
The obvious concern is that such high fines may have a serious impact on the health of a business. However, whilst each fine is to be “effective, proportionate and dissuasive”, the facts of each individual case will be taken into account as will mitigating factors such as the nature, gravity and duration of the breach, timing of the notification to the ICO, degree of co-operation from the organisation with the ICO and compliance with corrective measures.
Working with government regulators is a specialist area that requires the tactical insight that comes with experience. Our regulatory team has extensive experience of protecting our clients' interests, while working with a number of regulators including the ICO, Advertising Standards Authority, Environment Agency and the Health and Safety Executive. If you are being investigated by the ICO and require industry-specific regulatory advice, please get in touch with one of our experts to discuss this further.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at May 2018. Specific advice should be sought for specific cases. For more information see our terms & conditions.
Following the ICO’s first fine under the GDPR in December since it came into effect, we revisit how the decision confirmed that the presence of a sub-contractor does not absolve a data controller of its responsibilities...