Five things employers need to know about security breaches under the GDPR
GDPR, which goes live on the 25 May 2018, will replace the current data protection laws which were implemented in the UK in 1998. The purpose of GDPR is to catch up with technological advances, recognising how prevalent and easily accessible personal data now is with, for example social media, the cloud and smart phones being in regular everyday use. GDPR aims to standardise data protection laws across the EU and prioritise the rights of the data subject. The new laws encourage systems to be data subject friendly. GDPR focuses upon the accountability and transparency of those that control and process data. Data controllers and processors will be under greater scrutiny as to what data they process and why, and importantly how they keep it secure.
So what are the five things that employers/HR need to know about security breaches?
1. The risks – under GDPR there is the potential for significant fines for data breaches (up to 20 Million EURO or 4% of turnover, which ever is the higher, for serious breaches) as well as potential criminal sanctions. Individuals will have wider rights to seek damages from those in breach of data protection laws, including for emotional distress suffered by the breach. This is in addition to the reputational damage that will be sustained by a business responsible for a data breach.
2. There is an obligation under GDPR to deliver data integrity and confidentiality – you must keep personal data protected from unauthorised or unlawful processing as well as loss, destruction or damage using appropriate technical and organisational measures including data security practices such as encryption or pseudonymisation (replacing real person identifiers with artificial identifiers), appropriate training, and selection of staff and physical security measures. In respect of the storage of data it must only be kept for as long as is necessary for its original purpose, so you need to be clear on your data retention times and how data is securely deleted when no longer needed. You also need to be aware of where the data goes as GDPR does not just cover the EU. GDPR will have an extra-territorial effect applying to an organisation with no EU establishment if that organisation processes EU data subjects’ data so as to offer them goods or services or to monitor their behaviour within the EU. For example, a data storage facility located in the US or a website owned and operated in China but using cookies to track the behaviour of online users in the EU will be required to comply with GDPR.
3. Whether you are a data controller or data processor? A data controller determines the purposes and means of processing personal data (for example the employer). A data processor is responsible for processing personal data on behalf of a controller (for example a pension administrator). Data controllers will have a greater duty to ensure the suitability and reliability of their data processors meaning that they will need to carry out increased due diligence before entering into a contract with a data processor. If you are a data processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will also have legal liability if you are responsible for a breach.
4. Time limits – under GDPR there will be compulsory reporting of some data breaches to the Information Commissioner’s Office. Reportable incidents can include unauthorised access to or destruction of data and not only circumstances where data has been disclosed or lost, which are the common data law breaches under the current laws. A notification must be made where an incident is likely to result in a risk to the rights and freedoms of the data subjects whose data you control or process. The notification must be made within 72 hours of discovery. If you are providing services as a data processor to a data controller then you will be obliged to notify the controller “without undue delay after becoming aware” of a breach. Data controllers will also have to report a breach incident to data subjects if it is likely to result in a high risk to their rights and freedoms. This obligation is not absolute and in some cases, such as where the data was properly encrypted, they will not have to be informed.
5. That you have control of the data – in light of these obligations you need to make sure your employment contracts, confidentiality obligations, notification obligations, training and data protection policies deal with these extra obligations. Only those employees who need to work with data should be allowed access, they should be using secure devices (particularly important to review if you have a BYOD policy) and encrypted methods, and you need the contractual power to get any data they do have back or deleted if the employment relationship comes to an end.