Our GDPR Helpdesk a call or an email away

Data Breach Compensation Culture?

If your personal data has been breached, what can you do about it? Take appropriate security measures, but increasingly the answer is to claim compensation.

Under the 1998 Data Protection Act, a person could bring a case to recover losses due to a data breach. Depending upon the scale of your loss, this could be a major task for a small return.

The GDPR has changed this picture. It has added the concept of claiming compensation for the distress caused by a breach in addition to direct losses. Indeed, there do not need to be any direct losses to establish a claim.

When ‘Which’ magazine runs articles on claiming compensation for a data breach, the concept has entered the mainstream. How will this work in practice and what might the impacts on data controllers be?

A history lesson from personal injury claims

In the late 1990’s, a decision was taken to stop providing legal aid for personal injury claims. Instead the ‘no win, no fee’ model that had been operating in the USA would replace state funded claims.

Although many individual firms of solicitors and groups still provide ‘no win, no fee’ services the market has been largely taken by claims management companies. Despite some early issues (The Accident Group going into Administration in 2003 for example), claims management companies now form an accepted part of the landscape.

The claims management firms may instruct solicitors, but are not law firms. From an economic point of view, taking a case to court is the least preferred solution. It’s likely that a settlement will take place without the case ever going near a courtroom.

How do the claims get paid? Most often this type of claim is covered by public liability insurance. Businesses usually have this insurance and you’ll have equivalent cover through your household and car policies.

More recently, with the personal injury market becoming saturated, we’ve seen aggressive marketing of claims in relation to payment protection insurance mis-selling claims, especially with the deadline for claims rapidly approaching.

Data breaches – A new opportunity

Under the GDPR there is still an expectation that a claim for compensation will come to court. Claimants are encouraged to make a complaint to the ICO first. A determination by the ICO that a data controller has not met their obligations to protect the claimants’ personal data is a very significant advantage.

The prospect of more generous compensation after a data breach means that we’re starting to see a crop of companies offering to seek compensation. In the UK most of these are based on existing firms of solicitors and are taking the ‘no win no fee’ approach. Try putting ‘data breach compensation’ into your favourite search engine to see the sort of services on offer.

In some very high-profile cases specialist operations are forming around the breach. The best example of this relates to the airline Cathay Pacific, which announced in October 2018 that it had experienced a major breach affecting up to 9.4 million customers. Within days of the announcement websites like cathaydatabreach.com was offering affected individuals the chance to join a group seeking compensation.

Market consolidation

If we see a series of large compensation payments, then it’s very likely that we will also see consolidation in the claims industry and the rise of the data breach claims management firm. We can expect a move towards ‘settlement out of court’ because of the issues of timescale and cost. At the end of the day, it’s easier to pay to make the issue go away.

In the same way that the claims industry is gathering, so is the insurance side of the equation. Try searching for ‘Data Breach Insurance’ and you’ll find that business insurance giant Hiscox is already in the market along with lots of others. There is a strong focus on cyber breaches at this point, but that just aligns with public perception of what a data breach looks like.

What does it all mean?

Right now, with a high degree of uncertainty following the introduction of the GDPR compensation for data breaches looks like an attractive opportunity. Big breaches tend to come from major corporations with deep pockets. This makes both breach claims and breach insurance good bets for growth markets.

For data controllers outside the corporate sector, the likely outcome is that in addition to the costs of compliance, you may need to add the cost of breach insurance in case you find yourself in the firing line too.

Welcome to the new site

Welcome to our new site

We wanted to tell you about some changes that have been going on here lately.

You may know us through GDPR Sentry so be reassured, we’re still the same company. It was becoming clear that there was confusion between our Sentry cloud based compliance system and our other services.

So the GDPR Sentry site is now dedicated to the Sentry system. This new site gdprdesk.com contains more background information and our services and training courses.

The GDPR Desk site is the place to come to get news about data protection and ideas for compliance. We’ll also be flagging up particular issues that we see as part of supporting our customers. You can expect to see new information on a regular basis as things in the data protection world don’t stand still. Now the GDPR has been in force for 5 months some of the early lessons are being learned, particularly around dealing with personal data breaches.

GDPR Desk is for everyone. We have special relations with the Education sector, but our experience and background can be brought to any organisation. We are presently looking at the ‘Compensation Culture’ that’s springing up. Any organisation could be affected and it’s potentially more likely to impact you than action taken by the ICO.

If you’d like to sign up to get news from us on a regular basis you’ll find the sign up form here.

We hope you find the content here useful and if you’d like to find out more then please get in touch

To outsource, or not to outsource…….

I’ve mentioned before that schools face significant challenges with GDPR compliance. State schools deliver a public task and are required to have a Data Protection Officer. It can be hard to find someone who wants to fill this challenging role. The DPO is a source of expert advice on all matters of data protection, but can’t be responsible for determining how personal data is processed.

Many schools are considering if outsourcing the role of the DPO is the answer to the conundrum. Some local authorities are creating outsourced services for this very purpose. Having someone outside of the management team, who can be named on your ICO registration form could be useful.

There are a couple of issues that you need to consider when you think about outsourcing the DPO role. I’ve already mentioned that the DPO is an advisor. They will not be doing the work to make you compliant. They won’t be mapping your data, ensuring that all staff understand the procedures for dealing with SARs, nor collating the data to respond to them. These are all tasks that belong to the data controller.

The second issue is about responsiveness to situations in the school. The DPO needs to be available to respond to issues and have good knowledge of the organisation they are advising. Let’s assume there’s someone at the reception desk with a complaint about how their personal data has been processed. A member of the team has to get hold of the DPO, then discuss the situation and be given advice about how to deal with it. By the time that process is finished, tempers may have risen!

Some schools are taking the approach of having a ‘Privacy Officer’ in school who works with the outsourced DPO. This approach seems to balance out the requirements. The Privacy Officer, as the person on the frontline will need to have a solid understanding of the GDPR to be able to deal with most questions. That will take training and time to build up the expertise.

When you look at outsourced options, it’s worth considering what can practically be delivered and what you’ll still need to have in place to manage data protection after May 25th.

Sentry matches the requirements of the ICO

Our survey said……

It’s now less than four months until enforcement of the GDPR begins. You’d imagine that every now knows about the regulation even if they’re not totally clear about the impact.

On Tuesday of this week (24th January), the Department for Digital, Culture, Media and Sport released some preliminary results from Cyber Security Breaches Survey.
With less than four months to go until enforcement begins, significant numbers of businesses and charities had not heard of the GDPR. This included 20% of businesses and 25% of charities with more than 250 employees.

The highest levels of awareness were in the finance and insurance, information and communications and education sectors (79%, 67% and 52%). Still meaning that almost half of the organisations in the education sector were still not aware of the regulation. If you remember the game show Family Fortunes, the cross is showing and the ‘Eh-Uhh’ noise is blaring.

Of those who were aware of the GDPR only about a quarter have taken action. Like lots of us with Christmas shopping it looks like there will be a last-minute rush. Of course, just like joining the last-minute rush – you may not get what you want.

The fact that you’re reading this post, plainly means that you’re in the group that’s aware of the GDPR, but you may be wondering what you need to do next.

If you haven’t done it start with an audit of the personal data you are holding. It’s worth remembering that the scope of what counts as personal data is pretty broad. As well as personal data in IT systems, paperwork in any form of filing system may well hold personal data as well.

You may well find that a name and address, for example, is held in 5 different places and be from more than one source. It may take a long time, but once you understand where personal data is located and how it’s held, many of the other requirements for compliance start to fall into place.

If you don’t want to get trampled in the mad last minute rush it’s time to get going.

Sentry matches the requirements of the ICO

Here comes the Data Protection Bill

On Wednesday 17th January, the Data Protection Bill completed its journey through the House of Lords and headed back to the Commons. This means it’s heading toward the last stages before it becomes law.

Over the last few weeks I’ve been asked several times what the difference is between the Bill and the GDPR, also whether the Bill will mean that the GDPR will no longer apply. If you were hoping for this outcome, I’m afraid to dash those hopes. The Bill mentions GDPR 480 times, the Regulation is inextricably woven in.

The Bill enshrines the requirement to comply with the terms of the GDPR into UK law. This means of course that after Brexit you’ll still be required to manage personal data to the same standards as the rest of the EU. This will provide real benefit for firms wanting to do business in Europe.

But, the GDPR doesn’t cover every situation where the UK needs to manage personal data. This is particularly in relation the operation of the government itself, and situations relating to national security.

There has been some friction between the ICO and the government over these additional regulations. The Information Commissioner is concerned that government is giving itself the right to impose a different framework on a range of organisations only loosely connected with delivering public services. There are still some things to be ironed out before the Bill is given the Royal Assent.

For most organisations, these considerations will have little or no impact. The requirement to manage personal data under the terms of the GDPR remains the same, and the 25th of May remains the deadline for compliance.

Sentry matches the requirements of the ICO

Happy New Year

Happy New Year! Welcome in the GDPR

You know what it’s like, the New Year celebrations are done and its back the realities of work. Part of that reality for 2018 is the enforcement of the GDPR that starts on the 25th May. You’re probably familiar with the basics, but just in case here is the GDPR in 59 words.

The General Data Protection Regulation replaces the Data Protection Act. It extends the definition of personal data and sets tougher sanctions for non-compliance. A new right, Data Portability, allows individuals to take personal data from one organisation to another. Organisations must take a risk management approach to data protection and some are mandated to have a Data Protection Officer.

There’s quite a lot more to it of course and the Regulation is not light reading by any means.

It’s important to recognise that that GDPR has been designed as a set of practical regulations. Let’s take data breaches, the GDPR sets out that there are three classes of breach and then mentions a deadline of 72 hours for a breach to be reported to the supervisory authority (the ICO in the UK).

With the emphasis on risk management though, only breaches that present a risk to peoples’ rights and freedoms must be notified. This was confirmed by Elizabeth Denham, the Information Commissioner back in September of last year.

Data mapping is the key to this risk assessment and its one of the most important things you can do to prepare for compliance. It’s about understanding how personal data flows through the systems and processes of your organisation. From this map, you’ll be able to see the potential risks to ensure the proper security in in place. In the event of a breach you’ll be able to know what data has been compromised and where suspect data can end up.

To see how we can help you be prepared click here

Get the training you need with GDPR Sentry services

GDPR Envy: Data protection across the pond

Among all the questions about the impact of the GDPR, it’s interesting to see another perspective on concerns about personal data. This comes from consumers in the USA, a country with some mixed attitudes toward privacy in general. From a survey conducted in September 2017, PWC have produced a report for their Consumer Intelligence Series called Protect.me.

There are some fascinating insights into the representative American adult. Fully 45% of the sample thought that their email or social media accounts would be hacked in the next 12 months, 29% expected to be the victim of credit card fraud (really 29%?) and 21% expected their employer would be subject to a cyberattack.

It’s perhaps worth pointing out that 25% of the people asked thought they would have a lottery win in the next 12 months so despite the worries there is still optimism

Of the people asked only 10% felt they have complete control of their personal information. More than 70% felt that the company holding their data (the Data Controller from our perspective) was better qualified to protect that data compared to the Government. At the same time more than 80% felt that there should be regulations covering how companies can use personal data.

What’s interesting is something that makes it into the report almost as a throwaway line.
“Unlike the European Union’s approach to data privacy regulation—known as the General Data Protection Regulation (GDPR)—most US data privacy laws vary by sector, data type, or from state to state.”

Whether we are in the EU or not our decision to implement and abide by the requirements of the GDPR means that we are likely to be given trusted status. This means that there are more that 600 million people whose data can be processed here in the UK. It also means that firms in the EU will be able to outsource to the UK easily. Sometimes there are advantages to doing things as a group!

With the GDPR the Devil is in the details

Mention the UK and the EU right now you’ll almost certainly hear about Brexit.  Organisations pondering life outside of the EU may be forgiven for not being totally up to date with the details of the GDPR.

Take a journey back in time with me to 1963. Britain was trying to get into the six member club that was the EEC. General De Gaulle had just given his first ‘non’ because of a perceived lack of commitment to the principle of the community.

In the same year Richard Mayne the personal assistant to the first President of the EEC said

“On the principle that ‘the devil is in the details’, what should have been a merely formal occasion developed into a debate about the Community’s official languages and the site of its headquarters

It’s arguable whether De Gaulle was proven right in the end, but if the GDPR is anything to go by Mayne was spot on.

The problem is that despite the 99 Articles, the 173 recitals and the hundreds of pages of guidance there are still plenty of places where the regulations must be interpreted. There is discussion about how case law will develop around these blank spaces but who wants the be the name on the court case?

For organisations who are moving towards compliance a judgement must be taken on how to proceed in the world away from the ‘Eurocrats’ (reputedly another Mayne invention). There is a balance between being able to deliver service to customers, keep their information secure and avoiding enforcement action.

The 25th May is not going to be the end of the process by any means. We’ll all be adjusting our view of what the regulations really require for some time to come.

If you want help understanding what the GDPR means for you click here

Should you have a DPO?

The DPO, or Data Protection Officer, is a role that has been discussed at length as the GDPR has moved from concept to reality.

The DPO is responsible for:

  • Informing the organisation on its GDPR obligations
  • Monitoring that compliance
  • Being the first point of contact for employees and supervisory authorities
  • Training Staff
  • Conducting audits and supporting data protection impact assessments

There are requirements about how the role fits into the organisation. It must report to the highest level (to a board member) and have access to appropriate resources. The DPO must not be at risk of dismissal or penalty for doing the job. Conflicts of interest, such as decision-making responsibility for how data is processed, are not allowed.

You can assume that all the requirements were made with large organisations in mind.

Some organisations must appoint a DPO. Public bodies like schools and organisations that process large amounts of personal data must have a DPO in place for May 25th 2018. For others there is no mandatory requirement.

The question is, should you appoint a DPO anyway?

Organisations rely on accurate, well managed information, it makes great customer service easier and can be the basis of improved efficiency.

It may seem that the Data Protection Officer must be an IT expert but, in fact, it’s a process role. The best person to deal with the task may well sit in an Operations role or if you have someone responsible for quality management. This should avoid the conflict of interest issue, but there may still be some reassurance needed that they will be supported.

Thinking about compliance as a process you integrate with the day to day operation of the organisation, rather than an unknown external risk can remove the fear factor. Whether you give the title to a person or not, the tasks of the DPO can become part of business as usual.

Does your organisation need awareness training?