There have been a few times recently when the topic of data protection has come up in conversation, and I have been asked to comment on its definition and procedure upon noticing a data breach. In light of the recent news surrounding the foreign office attack, I thought I would outline a couple of these important concepts here.
The Data Protection Act 2018 was designed by the UK government to describe a set of regulations relating to the use of personal data. The act introduces new offenses including knowingly or recklessly obtaining or disclosing personal data without consent-giving of the data controller, and also selling or offering to sell this data.
It ensures that health, social care and education data can be continued to be processed whilst at the same time making sure that confidentiality in health and safeguarding situations can be maintained. The act is a complete data protection system, and it encourages businesses to take care to protect their data by implementing effective Cybersecurity controls.
In contrast, the GDPR 2016 are regulations that are solely connected with the processing of personal data. It allows individuals to better control their personal data. This includes providing easier access to an individual’s own data and on how that data is processed, a new right to data portability, a clearer right to erasure and the right for individuals to know when their personal data has been breached.
There are clear protocols to dealing with a data breach, which include assessing the breach and determining whether reporting is necessary. If it is a low risk to people’s rights and freedoms, a business might not need to report it but they still might need to log it. If the breach is high risk, the correct procedure is to notify the information commissioners office (ICO) within 72 hours via their online form on their website or their reporting tool.
Measures for assessing the risk include looking at historical incident data and looking at findings of audits or data protection impact assessments. It also includes looking at the risks to individuals, which encompasses financial loss, reputational damage and access to services or data. It is important for organisations not to expect a fine or reprimand provided that the data breach has been reported via the correct method on time.
However, the penalties for not reporting a breach are severe, and authorities are not known for their leniency. Most of the breaches make it out into the open – the more severe the consequences of a breach, the higher the risk will be.
Back to News