Data breaches involve unauthorised access or the disclosure of sensitive, confidential or otherwise protected data. This may be personal information, such as health or financial accounts, trade secrets, or intellectual property. There are currently strict regulations in place in the UK to protect data and reduce the risk of a data breach occurring.
However, there are always exceptions to the rule, and businesses should be aware of what they need to do if a data breach occurs.
Aisha Akhtar, a Solicitor in the Corporate and Commercial team, and James Martin, an Associate Solicitor in the Commercial Dispute Resolution team, at Blacks Solicitors, share their advice on data breaches, and what businesses need to be aware of if a data breach claim is brought against them…
GDPR and personal data protection
According to Aisha, Article 32 of the UK General Data Protection Regulation (GDPR) outlines and establishes the minimum level of security that an organisation must have in place to protect personal data. She comments: “Within this, there is a specific emphasis on the ability to protect against Personal Data Breaches which is defined by Article 4 of the UK GDPR. Failure to protect against this can attract maximum fines of up to 4% of the annual worldwide turnover, or £17.5 million. This is dependent upon which figure is higher.”
What to do in the event of a breach
James Martin advises that there are a number of things that potential defendants can do in the event of a data breach: “While there are actions that businesses can take, this will very much depend on whether the alleged breach is accepted, or if the allegations are disputed.
“If there is a breach, there is a right to compensation as set out within Article 82 of the UK GDPR. The level of compensation will depend upon the circumstances surrounding the alleged breach and the information that has been released. The Court will also consider what effect, if any, the breach has had on the affected party. For example, a breach related to the sharing of medical or financial records will be regarded as serious.”
When it comes to actions that can be taken, James advises: “In all types of cases, due to the complex issues involved, it would be advisable for any Defendants to obtain legal advice at an early stage. Where it’s accepted that a breach has occurred, it would be beneficial to try and reach a compromise with the affected party(s) at an early stage to avoid having to incur the costs of dealing with litigation.”
How to avoid a breach
Aisha advises that there are a number of key initiatives that can be put in place by employers to mitigate the risk of a data breach: “Organisations must have in place physical, organisational and technical security measures to ensure adequate protection. There should also be an emphasis on ensuring employees throughout the organisation are trained on what is expected of them when handling personal data, and training logs can be kept to document this.”
When it comes to the security measures that will enable businesses to control data and how it is shared, Aisha adds: “Organisations are expected to carry out regular tests of the security measures that are in place to identify any areas of weakness. If an area is identified, the measures should be updated accordingly.
“When acting as a data controller, it’s important to note that businesses will remain ultimately liable for any acts or omissions of any processors who are appointed. From a due diligence perspective, basic checks can be undertaken to ensure that the processor can keep the personal data protected in line with the standard set by Article 32 of the UK GDPR.”