I am a solicitor who has specialised in data breach compensation claims.
Regardless of a company’s data security measures, there can never be 100% certainty that it is totally safe from a data breach. Companies need to know how to recognise, deal with, and report a data breach as soon as it happens, as this will help them avoid many of the unnecessary complications.
The General Data Protection Regulation is a law on data protection that has been applied since 2018 to govern the sharing and handling of data. The regulation acts as a regulator to protect against data breaches, issuing notices, and forcing penalties in case of a confirmed violation. So, what is a breach of GDPR in the UK? Keep on reading to learn more about this topic.
What is a Breach of GDPR in the UK?
A breach of GDPR refers to any case of breach of security that leads to the accidental or unlawful loss, destruction, alteration, unauthorised disclosure of or access to personal data. However, there are several different types of data breach, and companies need to deal with them depending on their severity and their likelihood of affecting the security of the involved people or parties.
The Information Commissioner’s Office (ICO) is an independent regulatory office in charge of upholding information rights in the public’s interest. According to law, an organisation is supposed to report a breach within 72 hours, when feasible, to allow the regulatory body to take adequate action. If the breach is likely to affect the safety, privacy, or well-being of individuals’ rights or freedom, the organisation should also notify them of the breach as soon as possible.
Organisations are required to have an action response to a data breach, with a need to have a proper data breach detection, investigation, and reporting system in action. This helps them determine the severity of the breach, and whether they need to inform the ICO, involved individuals, or both.
Examples of UK Data Breaches
The GDPR helps companies and organisations understand the importance of protecting data. However, there are still some cases of data breaches that could have been avoided if organisations took the right measures to protect their data. Here are some of the most significant cases of data breaches in the UK.
Morrisons represents the UK’s fourth-biggest supermarket chain, and suffered from a huge data breach in January 2014, when one of its employees uploaded the personal data of more than 100,000 employees on a public file-sharing website.
The employee was a senior IT auditor and was subjected to an unrelated disciplinary action, so he downloaded the payroll details of more than 100,000 employees on a USB and uploaded the data on a public file-sharing website, sharing the employees’ bank accounts and salaries.
As a result, thousands of employees filed for compensation and were awarded compensation pay-outs. Although the preliminary ruling stated that the company wasn’t directly liable for the breach, Morrisons lost about £2 million because of this incident. The employee was sentenced to serve eight years in prison.
In 2017, the leading payday loan firm suffered from a huge data breach that affected about 245,000 customers in the UK and 5,000 customers in Poland. The leaked data included phone numbers, addresses, bank account numbers, and codes.
Although the breach’s cause wasn’t accurately determined, experts state that it was because the company wasn’t 100% compliant with data protection laws. The attack was probably launched by some cyber criminals in Asia who wanted to steal bank cards’ details for online shopping.
The breach happened on a Tuesday, but the company chose to remain silent for several days, an action that currently violates the GDPR. Wonga Loans agreed to pay compensation of more than £2.6 million to more than 45,000 customers.
How is GDPR Affected by the UK Leaving the EU?
After leaving the EU, there was a transition period until the end of 2020, allowing the UK to come up with new regulations to deal with data protection. Until the end of the transition period, the GDPR was applied, and companies complied to its rules.
Starting from January 2021, the transition period has ended, but the EU GDPR is still in action, as the UK GDPR which incorporates the EU GDPR with the UK data protection law. The UK government has the freedom to keep the framework under review, with minor changes to core data protection principles and obligations.
For organisations operating in the European Economic Area or EEA, their company might still operate under the EU GDPR. This will also apply if they deal with European organisations that send them data, so they might need to make sure that the transactions are in line with the UK GDPR.
How Can You Prepare for a Data Breach?
Taking security measures can help companies avoid a data breach. Here are some tips that a company should follow to protect its data.
The organisation’s personnel understand what a data breach is.
Employees understand that a data breach involves more than the loss or theft of data.
There’s a precise plan that can help the company deal with a breach as soon as it happens.
The staff knows how to escalate an incident without delay.
How Can An Organisation Assess a Data Breach?
There are several ways that an organisation can assess the severity of a data breach in their company. According to these measures, they’ll be able to decide whether they need to report the breach to the ICO, individuals involved, or both.
If the company is subject to the Privacy and Electronic Communications Regulations or PECR, where members of the public are allowed to send electronic messages, the breach should be reported.
Data involving ID numbers and credit card numbers usually involve a higher risk to the individuals involved.
Study the consequences of the data breach. If the lost or altered data can be related to identity theft or other types of fraud, the data is considered to be of high-risk.
How Can Companies Respond to a Data Breach?
If a breach has been confirmed, here is what an organisation can do.
The company has a process to help identify and assess the risk to individuals because of the data breach.
There’s an efficient system to notify individuals of the breach of their data.
The company knows how to report the breach to the concerned authorities within the specified time period.
The company can provide advice to individuals affected by the breach.
The company keeps a record of all data breaches, even the ones not reported.
A data breach is avoidable, but in case it happens, a company should know how to comply with the rules to help manage the consequences. According to the UK GDPR, not all data breach cases should be reported, but any organisation should have an efficient system to deal with them as soon as they occur.
Was this article helpful?
Spread the word and share it with your friends and family
Check free if you're owed an average £4,000 refund