Home Office breaches of GDPR took place 100 times between 30th March and 31st August 2019, a report from the Independent Chief Inspectorate of Borders and Immigration (ICIBI) has found.
The breaches took place in relation to the EU Settlement Scheme, which accepts applications from EU citizens so that they can remain in the UK after Brexit. They included unauthorised disclosure of information, documents being sent to the wrong person, and passports being misplaced.
According to an article from Infosecurity, the breaches also saw “23 documents misplaced by a postal company in July” and an incident in April where “240 email addresses were exposed after a Home Office employee forgot to put them in the BCC field when sending a bulk email”.
The article states the following from the ICIBI report:
“The information provided to inspectors regarding data breaches was concerning, not least the increase in breaches each month between April and July 2019 (with a slight dip in August 2019), albeit most of those to the end of June were due to a postal company rather than EUSS staff or processes,” it concluded.
“Data breaches damage public confidence, and applicants will blame the Home Office, whether or not this is fair. It is therefore important for the Home Office to do everything it can to keep breaches to a minimum.”
The response from the Home Office was that its data protection measures and procedures are improving:
“We are also in discussion with the heads of security, integrity and data protection to ensure our processes are aligned to GDPR compliance,” it replied to the ICIBI. “Bulk email processes have changed so there will be no errors going forward.”
The ICIBI also suggested that the problems it uncovered should be easy enough to fix.
“Most appear to have involved document handling errors and these should be easiest to prevent with clear instructions and good organization,” it said.
You can read the full article from Infosecurity here.
This demonstrates that human error is a big problem when it comes to data protection. As we learned at PrivSecLondon last month, it is responsible for 60% of all breaches.
This can and should be countered with training for all employees, at both the lowest and highest levels. A culture shift is also needed across organisations in order to keep up with evolving legislation.
If you want to make sure your employees are up-to-date and know their obligations under GDPR, check out our Staff Training offers, which are available in both in-person and online formats.
Foreign exchange company Travelex has suffered a severe hack that has forced it to deactivate all computer systems in an attempt to protect data and contain a virus.
GDPR is going to be a big challenge to implement for organisations, but the consequences of breaches and failing to comply to GDPR can be huge. GDPR fines and penalties could potentially cripple an organisation if it fails to adhere to the new regulations.
If there are any breaches of data, such as a hack, the data controller must notify the Supervisory Authority after no more than 72 hours after the becoming aware of the breach, not the breach itself. There is no room for misinterpretation or excuses here – if the Supervisory Authority is not reached within the 72 hours, the notification of the breach must be accompanied by a suitable reason from the controller for the delay. A suitable reason would be something that is out of the controller’s power – a power outage, for example.
“If there are any breaches of data, such as a hack, the data controller must notify the Supervisory Authority after no more than 72 hours after the becoming aware of the breach, not the breach itself.”
Notifying the data subject (i.e. person whose data is being held) is slightly different, though. The data subject must be notified of any potential breach UNLESS the data is anonymised – if the data is not immediately recognisable as the initial data sent by the subject. Pseudonymised or encrypted data hides what the data actually is via a mask or coding, with only a small number of people able to uncover the true meaning. If one doesn’t have the means to do that, the data is essentially useless.
Data can be thought of as raw facts and figures that appear to make no sense. We must put categories and context with the data for them to become information and knowledge. Hence, if a piece of data is hidden behind a mask or code, those who don’t know how to unlock the data, cannot even know what data they obtain.
FINES AND PENALTIES
The consequences for failing to comply to GDPR can be huge, but while you may see big figures bandied about, those are not necessarily the fine you or your organisation will receive. Each case will be considered against a set of conditions to judge whether a fine will be needed, and how much.
These conditions are:
- How big and widespread the infringement was and how much and how many data subjects it affected. The type of data affected will also be considered.
- If there was any (intentional) neglect from the organisation concerning the infringement.
- Whether the data controller took action to prevent damage to the data subjects (EG: if there’s a breach, the 72 hours you have before notifying the Supervisory Authority can be used for you to minimise the damage to your customers, sort the breach, set up suitable preventions, then notify the Supervisory Authority – this will potentially help your case.)
- How your data was protected initially will also be considered, though. If an organisation does not have suitable security measures in place, and don’t show demonstrable controls, this will negatively affect the organisation’s case.
- The responsibility of the processor or controller and if they have had any previous infringements.
- The cooperation with the Supervisory Authority to fix the infringement.
- How the Supervisory Authority became aware of the infringement.
- The extent of adherence to specified codes and conduct by the Supervisory Authority.
- And any other factors relevant to the specific infringement in case, including but not limited to financial gains and losses.
“A worst-case scenario can see a fine of up to 20,000,000 Euros, or up to a 4% of the total worldwide annual turnover of the preceding financial year, whichever is greater.”
A worst-case scenario can see a fine of up to 20,000,000 Euros, or up to a 4% of the total worldwide annual turnover of the preceding financial year, whichever is greater. This is again dependent on a certain set of circumstances (including lack of compliance with the Supervisory Authority) and these figures can be lower (up to 10,000,000 Euros and 2%) because of that. The important phrasing here though is “up to”. It will be unlikely that any organisation will be fined 10,000,000 Euros unless they severely infringe on the regulations and the data affected is of high risk.
Remediation costs will also significantly affect organisations post-breach. Depending on an organisation’s size, how many employees they have and how many data records are affected by a potential breach impacts any remediation costs for the company. Using the supermarket chain Morrisons as a recent example, they lost 100,00 employee records – with current estimations of remediation costs, the minimum cost Morrisons could potentially be looking at is £75 million. This is a huge cost alone to remedy any breach, and this figure will be huge for any organisation.
These consequences still seriously highlight the need to comply with GDPR thoroughly and securely, and it’s vital to get your business or organisation fully compliant before the regulations come into place in May 2018. Ask us now for a Gap Analysis or GDPR project delivery.
The source for much of this information comes from “Guidelines on Data Protection Officers” a comprehensive guide on all things GDPR and a vital read for any Data Protection Officers.
You can also read our take on Equifax’s breach and lack of compliance with GDPR right here: https://activaconsulting.co.uk/activa-consulting-news/equifax-affected-under-gdpr-laws/