Since the GDPR was introduced across the EU and the UK in 2018, countless businesses have found themselves on the wrong side of the law, including some of the world's most recognised brands.
- What to do if you suspect a data breach
- The Most Common Data Breaches
- How to Avoid Common Data Breaches
- Penalties for breaching GDPR
The GDPR provides constant consumer protection and guides how our businesses should handle personal data. It is important to allow it to do just that. By adhering to the regulation, businesses can avoid penalties and uphold the GDPR's purpose.
What to do if you suspect a data breach
If you suspect a breach, be upfront about it immediately. Any staff training should encourage your employees to come forward, even if they think it’s a near-miss. You have 72 hours to tell the ICO about a reportable breach, and the clock runs from when you discover it.
Keep proper details. Find out and record what happened, who is involved, what you're doing about it, and the timeline. Your main priority is to find out what happened to the affected data. If it’s recoverable, do it immediately.
Assess the risk and, if high, protect impacted people by giving them specific and clear advice on the steps they can take. Submit your report to the ICO. If you’re unsure if the breach is reportable, use the ICOs self-assessment tool.
The Most Common Data Breaches
The UK’s Information Commissioners Office (ICO) has outlined the six most common data breaches.
1. Access by an unauthorised third party
Typically, from malware, ransomware or hacking – often enabled by systems that are old or haven’t had adequate or the latest protection installed or updated.
2. Sending personal data to the wrong person
We're only human. In busy or stressful times, mistakes happen. Unfortunately, where data's concerned, the consequences can hit home hard.
3. Deliberate or accidental action (or inaction) by a controller or processor
We all like to think the people we work with are scrupulously honest, but the opportunity to sell lucrative sensitive information may be difficult to resist for a few, especially in tough economic times. Equally, someone who left the firm under a cloud may take advantage, especially if they still have access.
4. Loss of availability of personal data
Sometimes, systems and files give up the ghost, corrupting, losing or destroying data. Hard copies can be mislaid, misfiled or accidentally shredded. If these are your only records, the data's gone for good.
5. Lost or stolen devices containing personal data
Is there anyone who hasn’t had that sinking feeling of leaving a laptop, tablet or smartphone somewhere? And if the device doesn’t have secure password protection, criminals can quickly exploit personal information for fraud.
6. Altering personal data without permission
As well as the chance of hackers gaining access and changing passwords, staff members may change personal information to deceive or misrepresent the information. Even making minor tweaks to say someone’s age to fulfil an email campaign list still infringes the regulations.
How to Avoid Common Data Breaches
First, conduct a risk assessment to discover the current state of play, such as the ICO's impact assessment template. It should aim to tell you the likelihood of a GDPR breach and its potential consequences so you can prioritise your resources.
The ICO also suggests several actionable steps which can reduce your risk of committing the common GDPR breaches mentioned above:
A. Store data securely
Helps prevent third-party access or misuse if a device is stolen. When dealing with sensitive information, ensure you have the strongest possible online security. Given the potential consequences, this isn’t the time to settle for the simplest and cheapest option. Criminals are increasingly tech-savvy, so you need to keep one step ahead.
Choose the best you can afford, wherever possible. For those businesses who keep hard copies of data, lock up paperwork whenever it’s not in use and put a clear desk policy in place – right down to personal info on post-it notes.
B. Create a remote working policy
Helps prevent third-party access or misuse if a device is stolen. Since the pandemic, far more of us are regularly working from home. Make sure your employees understand how to handle personal data when off-site. If using mobile devices, secure them with two-factor authentication or similar tech, and create a hybrid working policy that includes security guidelines.
C. Keep client details up-to-date
Helps to prevent personal details from being sent to the wrong person. Ask your clients, customers or members to let you know when they change their contact details. Keeping your database up-to-date will reduce the risk of data going to the wrong address.
D. Label documents appropriately
Helps prevent personal details from being sent to the wrong person. Naming your documents clearly and consistently will reduce the risk of employees sending the wrong one.
E. Take care when redacting data
Helps prevent personal details from being sent to the wrong person and processor/controller error. When a client asks to see their data, making and sending copies can be all too easy. Always check if there are any details about other people on the documents and remove them.
F. Be careful when using blank templates
Helps prevent personal details from being sent to the wrong person. If using blank templates, ensure your employee always creates a new copy rather than overwriting a used one, which can leave fields populated with previous details.
G. Review employee access
Helps prevent unauthorised use, direct action by a processor or controller, or alteration. Not everyone needs access to everything. Ensure only those who need access have it and act fast to remove it when someone leaves the company to avoid any temptation to sell or alter data for personal or business gain.
H. Think about ex-employees
Helps to prevent unauthorised use. Some leavers may take customer details to use in their next position. Include clear clauses in employment contracts that prevent ex-staff members from approaching your clients to avoid any temptation to sell or alter data for personal or business gain.
I. Back up your systems regularly
Helps prevent the loss of personal data. Losing vital data may seem unlikely, but the unexpected does happen. Back up your systems as often as possible so you retain info in the event of fire, flood or a system failure.
Penalties for breaching GDPR
In the first 20 months of GDPR, more than €114 million was issued in fines. Since then, several high-profile companies have made world news for data breaches.
Luxembourg fined Amazon a record €746m, while Meta, who owns Facebook, Instagram and WhatsApp, was hit with four separate fines of €405m, €390m, €265m and €225m in Ireland. All dwarf the previous highest – Google’s €90m in Dec 2021.
While these fines are proportionate for global powerhouses, penalties can be high, no matter the size of your business. UK and EU GDPR can impose a maximum fine of £17.5m or €20m, respectively or 4% of your annual global turnover, whichever is larger.
Admin errors (not leading to a data breach) carry lesser fines, while penalties for minor infringements include warnings and reprimands, a temporary or permanent ban on data processing, restoring, restricting or erasing data, or suspending data transfers. Breaches also lead to significant reputational damage.
Want to learn more about GDPR?
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.