Personal data security is one of the highest profile aspects of data protection law. As one of the data protection principles, personal data security is of the utmost importance, not only because of the mandatory personal data breach reporting requirements under GDPR but because of the adverse impact on an organisation’s reputation a personal data breach can have.
This has been demonstrated by the first high profile post-GDPR personal data breach. Dixons Carphone has revealed that it has suffered a cyber security attack which has compromised the personal data of 1.2 million customer records including names, addresses and email addresses. The intrusion also compromised the details of 5.9 million payment cards. The ICO has been notified of the breach under the new post-GDPR mandatory breach notification regime, and individuals affected have also been told that their personal data has been accessed.
Under the GDPR mandatory breach notification requirements, where a personal data breach is likely to result in a risk to individuals (the risk in this instance being identity theft or financial fraud) the ICO must be told. This notification must happen without delay and in any event within 72 hours of becoming aware of the breach. It isn’t clear when this intrusion took place or how long it took Dixons Carphone to discover the breach and report it to the ICO. The breach is now under investigation by the ICO, and these will be key factors in determining what action is taken by the ICO. All eyes are likely to be on the outcome to see whether this results in a large fine for the company in view of the increased levels of fines applicable under the GDPR and the fact that Carphone Warehouse (the mobile phone division of Dixons Carphone) was fined £400,000 in January (the highest fine under the Data Protection Act 1998) following a cyber security attack. The company has already seen a drop in its share price following the report of the latest breach.
From your organisation’s point of view, this is a useful prompt to:
- Review your security provision generally. Under GDPR controllers are required to ensure the appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Including where employees are entitled to use their own electronic devices (you may need a Bring Your Own Device Policy if you allow employees to use personal devices for work purposes);
- Ensure that you have your Personal Data Breach Reporting Policy and Procedures in place to ensure that your organisation can respond promptly and effectively to any personal data breach that occurs and notify the ICO and the individuals involved within the required timeframes;
- Ensure that you have your personal data breach log up and running. All personal data breaches (regardless of whether they require notification to the ICO or the individuals involved) must be logged;
- Train your staff. Staff awareness of what can amount to a personal data breach and what is required of them if they become aware of a breach are key factors in ensuring your organisation’s compliance with data protection law.
For further information about a Personal Data Breach Reporting Policy and Procedure, a Bring Your Own Device Policy for employees, Staff Training or what needs to go in your personal data breach log contact Lowri Phillips, Head of the Information Law Team at Lowri.firstname.lastname@example.org.
INFORMATION LAW >>GELDARDS GUIDE TO GDPR >> EMPLOYMENT >>