What should you do for smaller data protection breaches and will you be fined?

In May 2018, the birth of the GDPR, we saw the potential level of fines for data protection breaches rise from a modest maximum of £500,000 up to £17.5 million or 4% of the annual global turnover of the company.

Whilst these sort of levels of fines are mainly reserved for the most serious breaches of larger multinational companies where large amounts of data have been disclosed, the more typical issues we see for SME’s are more likely to be on a smaller scale. Typical breaches involve personal data being sent to the wrong person by email, either internally in an organisation or externally to a third party, or laptops or documents being left on a train or other public place.

Whatever the incident they can be worrying times for any business.

So what should you do if there has been a personal data breach and what are the likely consequences?
The legislation provides that a ‘personal data breach’ is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. If you suspect a breach then:-

• Step 1: gather information and assess the breach as soon as possible, ideally you will already have a plan in place and then look to mitigate the impact of the breach. 
   
• Step 2: all personal data breaches should be recorded by the business, this should include the facts of the breach, the effects of the breach and the remedial action taken.
   
• Step 3: if the breach is likely to result in a risk to the individual’s rights and freedoms you should notify the Information Commissioners Office (“ICO”).  The ICOs web site has a helpful self-assessment to assist businesses with the decision to notify, or not, but factors to consider include: the nature, sensitivity and severity of the breach, the number of people affected and any special characteristics of the individuals or data such as children related or medical data.
   
• Step 4: Where the personal data breach requires ICO notification it should be made with undue delay and where feasible, not later than 72 hours after becoming aware of the breach. If you decide not to notify the ICO you should be able to justify the decision and be able to document the decision.

If the breach is minor and has relatively little impact on the person whose data was released the ICO is unlikely to issue a fine. In a recent case involving a firm of solicitors sending an invoice containing names, address and financial details of school fees to the wrong person the Court thankfully saw sense and decided that the breach was minimal and no person of ordinary fortitude would reasonably suffer the distress claimed in such a case which also saw mitigating steps being taken quickly.

If the breach is not minor, the ICO has a number of powers which include investigative and corrective powers as well as the fines. The data subject also has remedies.

We have advised businesses on a variety of data protection matters including data breaches, policies, and responding to subject access requests. If you have suffered a breach and require assistance, or have any data protection queries, please do not hesitate to contact us.

For further information please contact James Oxley: james.oxley@haroldbenjamin.com