Skip to main content
CLOSE

Charities

Close

Corporate and Commercial

Close

Employment and Immigration

Close

Environmental, Social, and Corporate Governance

Close

Fraud and Investigations

Close

Individuals

Close

Litigation

Close

Planning, Infrastructure and Regeneration

Close

Public Law

Close

Real Estate

Close

Restructuring and Insolvency

Close

Energy

Close

Entrepreneurs

Close

Private Wealth

Close

Real Estate

Close

Tech and Innovation

Close

Transport and Infrastructure

Close
Home / News and Insights / Insights / GDPR Advent Calendar (Door 4)

Previously, on the GDPR Advent Calendar… my client “Nick” has discovered that part of a list recording childrens’ names, addresses and their respective “naughty-” or “nice-”ness over the preceding year, has been subject to a data breach. We have looked at the data breach response plan which Nick’s organisation has in place and while his external data processor (“ELF”) tried to work out what has been happening, we have taken advantage of the interlude to look at some of the basic principles of data protection law.

Now, let’s open Door 4…

First thing on Monday morning, my client calls a meeting. I am there as are several representatives from the External Logistics Force (“ELF”) who identified and (so it seems) are responsible for, the breach. Nick, usually very jolly even at this busiest time of the year, is extremely unimpressed with the lack of clarity about precisely what has happened. While it is in the nature of this sort of breach not to have as much information as might be wanted at an early stage, he is right to be frustrated. ELF seem to have been dragging their feet and as the meeting goes on it emerges that in clearing down the server of the personal data that had been exposed, they have also wiped and reformatted it, deleting valuable information about the nature and duration of the breach which Nick is going to need in order to make a breach notification report to the ICO.

It turns out that backup tapes may be able to assist with piecing together a picture of how serious this breach is. ELF are going to restore these and report back, but all of that is going to take time.

After the meeting, Nick asks me to consider the terms of his organisation’s contract with ELF. He wants to understand precisely what their obligations are in the context of a breach like this. This is particularly relevant under the existing legislation where all liability for any breach rests with the data controller.

Related Articles

Our Offices

London
One Bartholomew Close
London
EC1A 7BL

Cambridge
50/60 Station Road
Cambridge
CB1 2JH

Reading
The Anchorage, 34 Bridge Street
Reading RG1 2LU

Southampton
4 Grosvenor Square
Southampton SO15 2BE

 

Reading
The Anchorage, 34 Bridge Street
Reading RG1 2LU

Southampton
4 Grosvenor Square
Southampton SO15 2BE

  • Lexcel
  • CYBER ESSENTIALS PLUS

© BDB Pitmans 2024. One Bartholomew Close, London EC1A 7BL - T +44 (0)345 222 9222

Our Services

Charities chevron
Corporate and Commercial chevron
Employment and Immigration chevron
Environmental, Social, and Corporate Governance chevron
Fraud and Investigations chevron
Individuals chevron
Litigation chevron
Planning, Infrastructure and Regeneration chevron
Public Law chevron
Real Estate chevron
Restructuring and Insolvency chevron

Sectors and Groups

Private Wealth chevron
Real Estate chevron
Transport and Infrastructure chevron