As we approach May 2018, the full implementation date for the General Data Protection Regulation (GDPR), or more likely, the implementation date of the UK Data Protection Bill which will be drafted into UK law to reflect GDPR, I thought it worth talking about what one can do in the working days we have left to prepare for it.
Of course, data protection is nothing new. We have worked to the Data Protection Act 1998 for nearly two decades, so we already take pretty good care of personal and sensitive personal data, right? Assuming this is true for most organisations, it’s worth thinking about what is going to be different about GDPR/UKDPB and therefore what should be prioritised in order to meet this new regime.
One of the new challenges imposed by GDPR is the mandatory obligation on data controllers to report a data breach within 72 hours of first becoming aware of the breach. The wording of Article 33 of GDPR is:
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
So if the loss of data could result in risk to the rights and freedoms of individuals, you are legally obliged to report the breach to authority (in the UK, the Information Commissioner’s Office (ICO) within three days.
Three days is not a long time. Before declaring a breach to the ICO, generally one would like to establish the facts of the breach, confirm ones’ obligations, prepare notification notices, authorise public statements, amongst many other activities. Any one of these generally requires significantly more time than 72 hours. The key is preparation. To be prepared requires a plan, commonly an ‘incident response plan’. This will contain details of who does what, when and how. Crucially, it should be clear about governance – who is responsible for what, who has authority to make certain decisions, and so on. Part of this plan will also entail backing off reporting obligations to any data processors that one has in the supply chain, ensuring that they’re given reasonable time to understand and report on a breach, especially if they caused it!
Of course, you need more than a plan, you need to know that the plan will work, or at least survive first contact with reality. To do this, the key is to rehearse, undertake trial data breaches involving all the necessary people, including the organisation’s leaders. Undertaking such exercises will iron out the kinks in the plan and familiarise people with what is expected of them. Plans also need to contain the seemingly trivial information that, in times of stress, can really disrupt ones’ response. For example, knowing who your data protection lawyers are, how to get hold of data forensics specialists, where you might find a crisis management expert or a media handling consultant, is all important information that you should try to gather in advance.
One item that is often overlooked but is going to become increasingly important is to know which of your clients, customers, suppliers or partners you have a contractual obligation to report a breach to. In preparation for GDPR, many organisations are introducing clauses into their contracts that obliges their suppliers to notify them if they (the supplier) suffers a data breach. In some cases, the obligation to report the breach may have time constraints significantly more challenging than the 72 hours imposed by GDPR. This is because a data breach which affects your customers or staff can happen anywhere in your supply chain.
There is a lack of clarity about whether the 72 hour constraint applies from the first awareness of the breach anywhere in the supply chain or from when you were informed by the part of your supply chain that noticed the data breach. The former, more extreme view, championed by the Article 29 Data Protection Working Party who assert that “The controller uses the processor to achieve its purposes; therefore, in principle, the controller should be considered as “aware” once the processor has become aware”. This would mean that if your supplier takes 48 hours to notify you that they have had a breach that affects your data, you’ll only have 24 hours left. This would be hugely challenging and practically unworkable, so I look forward to seeing a more moderate take on this subject.
One more thing. Remember that all this applies to non-digital data losses too. Although electronic records can so easily end up anywhere in the world in milliseconds, it is easier and perhaps more likely to suffer a data breach by leaving some personnel files on the train, or by popping the wrong letter in the wrong envelope. Awareness raising across the organisation is vital, making clear to staff when they might be handling sensitive personal information and what their obligations are to protect the privacy of the individuals who trust their data into your care.
Preparation is key and eighty working days isn’t a long time to get this straight… please leave a comment or get in touch if you need some help getting started.