The government recently published its 2017 Cyber Security Survey results. Of note:
- 46% of British businesses discovered at least one cyber security breach or attack in the past year;
- Common breaches include issues surrounding fraudulent/phishing emails, viruses, spyware and malware; and
- Only 26% of businesses reported an attack to an external agency.
The findings illustrate the importance of data protection measures. The Data Protection Act 1998 (DPA) imposes certain obligations, including a requirement for organisations controlling personal data to implement “appropriate technical and organisational measures” to protect personal data from unauthorised and unlawful processing. This includes security measures appropriate to the nature of the personal data to be protected, as well as the harm that might result from any unauthorised or accidental loss, damage or destruction of such data.
The ICO (Information Commissioner’s Office) guidance states that to manage a breach of security, organisations should:
- Adopt a recovery plan;
- Asses ongoing risks associated with the breach;
- Consider whether a breach of security should be notified, who should be notified and what information should be given;
- Evaluate the cause of a breach and the effectiveness of its response to it; and
- Consider whether to notify individuals affected by a data breach, and of any steps they should take to protect themselves.
Currently, the ICO only expects to be notified where there has been a serious breach. However, this will change in 2018 when the EU’s General Data Protection Regulation (GDPR) takes effect. The GDPR imposes much stricter obligations, including the requirement to notify the ICO of all data breaches without undue delay (and where feasible within 72 hours), unless the data breach is unlikely to result in a risk to individuals.
With the ICO having the power to fine organisations up to £500,000 for failing to comply with the DPA (which will increase to the greater of 2% of annual worldwide turnover or €10 million under the GDPR), data protection is a key issue for businesses and the consequences of non-compliance can be costly.