Examples Of Data Breaches Under The GDPR
The UK General Data Protection Regulation (UK GDPR) bears a striking resemblance to the European Union's law on data protection and privacy. More exactly, it compels website owners to obtain explicit consent from users prior to processing their personal data by means of cookies and third-party trackers. All organisations have to report personal data breaches to the relevant authority – in other words, the Information Commissioner's Office (ICO). If the incident results in a high risk of affecting the individual's rights and freedoms, they need to be notified as well. GDPR is relevant only if the infringement involves personal data, such as information about employees or consumers.
Liability For Data Protection Fines
The Information Commissioner's Office can take regulatory action. In some instances, it may serve a monetary penalty notice on the data controller. The ICO issued £42 million in fines during the financial year 2020/21. A significant proportion originates from penalties issued against British Airways and Marriott International. The British Airways website diverted users' traffic to a hacker website. The malicious actors store the personal information of more than 400.000 customers. On the other hand, Marriott International exposed itself to a cyber-attack following the acquisition of the Starwood hotels group.
There are two levels of fines:
- Up to £10 million or 2% of the worldwide annual revenue
- Up to £20 million or 4% of the worldwide annual revenue
According to the experts at Data Breach Law, individuals can make private claims for distress and or damage caused by the breach. Such claims used to be rare, but are becoming more common. If a person can't reach an agreement with the organisation, they can go to court to protect their rights under data protection law.
Personal Data Breaches: X Critical Examples
Some incidents take place due to human error and honest mistakes. Alternatively, personal data breaches take place because of a lack of procedure and guidance. Regardless, it's crucial for an organisation to have suitable protection in place. Even when a crime has been committed against the organisation, that organisation is accountable for the personal data under its control. Beyond losing personal data, the organisation is affected in the sense of loss of reputation.
Personal data breaches can include:
Access By an Unauthorised Third Party
An unauthorised third party is a person or an entity that, at the time of the computer incident, isn't an authorised user. Given the current cyber threat environment, it's essential to prioritise security. End-to-end encryption and encryption key management are two ways of protecting sensitive data. A third-party app can reinforce the cloud email provider's native encryption. Even if the email is hacked, data remains private and secure. The proper management of cryptographic keys is vital from a security standpoint. If the controller stores a backup of an archive of personal data on a USB key, that key can be stolen during a break-in. By hosting the keys themselves, organisations can eliminate the fear associated with third-party access to the data.
Deliberate/Accidental Action by The Controller or Processor
A brief power outage, which lasts a couple of minutes, at the controller's call centre makes it impossible for customers to obtain access to their records. It's not a notifiable breach, yet it's a recordable incident. Here's another example. The personal data of countless students are sent to the wrong mailing address by mistake. Depending on the score and type of personal data involved, not to mention the possible consequences, individuals should be informed about what happened.
Alteration Of Personal Data Without Permission
An organisation can process personal data only when it obtains the consent of the individuals concerned. This is true for many types of marketing calls and messages, website cookies, and online tracking tools, or installing apps on other people's devices. Every person has the right to the protection of their personal data. That information must be processed for specific purposes and, most importantly, on the basis of consent. The consent requests should be kept separate from the other terms and conditions. Vague consent isn't enough. It has to be explicit. Consent must be provided willingly, directly to the entity seeking information. The organisation should educate the person about the risks, benefits, and alternatives. Also, consent must be revocable at will.
Steps To Preventing a Data Breach
If not addressed in a timely manner, a data breach can bring about physical, material, and non-material damage. For small and medium-sized businesses, the situation is particularly concerning. Larger companies, even if they don't have to shut their doors, suffer serious consequences. It's possible to minimise the risk of personal data breaches by following a number of practises, such as:
- Carrying out regular risk assessments. A risk assessment enables controllers to identify the risks relating to the processing of personal data. It's necessary to take into account all options, including data storage and remote access for employees. Needless to say, the policies and procedures in place should be adequate.
- Reviewing access controls. This is useful in terms of monitoring the appropriateness of an entity to view or update information. Users should only have access to resources that are necessary to perform their tasks. Perhaps it's necessary to tighten access controls.
- Backing up systems. The purpose of backup is to ensure a way of restoring the integrity of a computer system in the event of hardware/software failure, human error, or cyber-attacks. Personal data should be stored securely offsite.
- Watching out for ex-employees. Departing employees can take sensitive data with them, so they represent a threat to the organisation. They don't do it intentionally, and most of them forget the data is in their possession. This is precisely why the IT department should cease computers, tablets, external hard drives, backup disks, etc. Clauses can be introduced in employee contracts to prevent ex-employees from getting away with sensitive information.
The bottom line is that there are many ways to limit access to personal data. An outside hacker doesn't always cause a data breach. Sometimes, incidents of this kind can be traced to unintentional actions.