“But the law doesn’t say….” a careless excuse for data protection breaches or risk assessments in action?

Sean Hick, Genus Law

30th October, 2015

It will not have failed to escape your notice if you have read a newspaper, turned on the TV, or been online over the last few weeks that the big topic of note is data protection….or what appears to be a severe lack of it in large national and multi-national organisations. We highlight the key points and what you should do.

In the last few weeks we’ve seen TalkTalk customer data hacked, Marks and Spencer customer data visible on other customers’ accounts and British Gas client account details becoming the latest wave in the furore about data protection. This is just the tip of the iceberg with an estimated 600,000 Britons having their personal details accessed from databases (from companies and the government) last year alone.

One of the more contentious comments in the last few weeks, has to be that of TalkTalk’s Chief Executive, Baroness Harding who, following TalkTalk’s confirmation that the stolen data had not been encrypted, announced:“nor are you legally required to encrypt it”

And so starts the debate. Is doing the bare minimum required for data protection really enough?
Nothing in this world (not least the law) is 100% clear. But legally (and yes this is where I’m afraid I have to get technical) the law requires:

“Appropriate technical and organisational measures [to] be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.

What that means is, of course, open to the interpretation of the regulator (Information Commissioners Office (ICO)), the courts, the businesses implementing the legislation and the general public. But whose voice wins out in the end? And what are “appropriate technical and organisational measures”?

In the end (at the top of the food chain) the courts and the ICO take priority and make the final decision. In just three months (April to June) this year the ICO issued one fine, seven undertakings, one enforcement notice and received 391 new cases relating to data protection breaches. It is also taking a hard line on enforcement issuing bigger fines in a more prominent fashion against those growing companies that flout the rules. Every company needs to consider whether their practices on data protection will stand up to scrutiny and what risk they take of being fined.

However, the public (including mass media hype) are the ultimate judges of the companies. People vote with their feet and in these days of social media (where quite ironically personal data is thrown about with gay abandon) the loss of customers as a result of data protection breaches is probably the one thing companies fear the most.

Is it really in a company’s power to decide?

In light of the above, the guidance within the legislation seems to confirm the realistic position, advising that those tasked with protecting data should take account of the state of technical developments and the cost of implementing such measures balanced against what harm might arise from unauthorised processing of the data and the nature of the data being processed.

It seems that, as with TalkTalk, the decision on how much data protection to implement is one which falls to the company’s appetite to risk versus the cost of an (almost) infallible data protection system. It’s all good and well saying that a company might be fined £200,000 by the ICO and lose £500,000 worth of customers if their data is breached. However, if the cost of creating an “infallible” system (something I don’t consider exists) would be £2,000,000 which option would you take?

The future

Change is also afoot, and the ICO is likely to give guidance on best practice as a direct consequence of the various breaches over the last few weeks. This is likely to impact business before any of the changes set out below.

Additionally, at some point in 2016 it is going to be significantly more important for companies to meet their obligations and move away from the “risk assessment” approach they have taken for so many years. The current proposed changes (which are subject to final agreement) are:

• Changes to the way in which consent to processing data is obtained

• Data collected must only be “the minimum necessary”;

• Companies having to hold detailed and accurate records of their compliance procedures;

• The compulsory appointment of Data Protection Officers to oversee data control (and report any breaches to the ICO);

• Data will need to be held in a format that is easily moved from one provider to another;

• Data will need to be held in a way where it can be permanently deleted at the request of the person it relates to;

• Expanding data protection obligations to those companies which merely process the data on behalf of another person/company; and

• The introduction of significantly higher fines of up to €1 million (£720,000 approx.) or 2% of global turnover.

What does this mean?

The raft of changes are likely to be costly. Not only will there be the initial outlay (updating and adapting systems and processes) but also dealing with the day to day compliance obligations that are likely to be put on companies.

Our recommendation would be to start the preparations now. The changes are coming quickly and whilst they are far from finalised, when they are agreed the chances are that there will be insufficient time and funds set aside by companies to implement them.

At Genus law we are experts in reviewing and advising on changes to data protection policies and procedures and ensuring that the principles are disseminated across the business by implementing changes to terms and conditions, other commercial contracts and by providing down to earth, practical training for staff on this complex area of the law. Contact us on commercial@genuslaw.co.uk or call us on 0113 320 4540