The mandatory breach notification requirements of the overhauled European data laws are likely to have the biggest impact on UK businesses, according to Ross McKean, partner at law firm Olswang.
“Currently there is no general data breach notification requirement in the UK, and most firms choose not to go public if they can avoid it, to avoid taking a hit on their reputation,” he told Context Information Security’s Oasis symposium in London.
But the EU’s General Data Protection Regulation (GDPR) and Network Information Security (NIS) directive – both expected to be finalised before the end of 2015 – will change that, making notification of most data breaches involving personal information mandatory.
This will mean most UK firms will have to change their approach to data breaches and ensure they have processes to comply with the rules.
The case of large US retailer Target exemplifies the damaging effect of data breach notification, said McKean.
A 46% drop in quarterly profits followed the company’s notification of a substantial breach; costs directly related to the breach were reported to be around $252m (excluding the ongoing cost of rebuilding trust in the brand); and the breach led to the resignation of both the company’s chief executive and chief information officer.
“When things go bad, this is what can happen as the result of mandatory breach notification,” said McKean, adding that UK companies should look to the US and learn.
Once EU data breach notification laws are in force, it will be risky for UK companies to continue their practice of sweeping breaches under the carpet – but they can limit their exposure by involving their legal team as soon as a data breach is discovered.
In the US, McKean said relatively few companies get their lawyers involved from the beginning to take advantage of legal privilege, which means that any internal report containing the details of the breach will be accessible by regulators and the legal teams of those affected by the breach.
Privilege is key, he said, yet more than half of the cases in the US where forensic reports have been prepared are not prepared on a privileged basis – despite the fact that the first thing that usually happens is that US state prosecutors request a copy of the forensic report.
“Unless you can claim privilege, you have to hand it over and such reports tend to be fairly comprehensive,” said McKean. This gives third parties access to detailed and sensitive information about an organisation’s IT infrastructure and all existing security vulnerabilities.
Data controllers subject to fines
The GDPR will bring fundamental change in the UK, he said, particularly regarding breach notification, because the law will apply to every data controller and service provider that touches personal data.
The GDPR is expected to require notification only if there is a “high risk” of loss to the individual – but McKean said that, considering “high risk” is defined as a risk of fraud or identity theft, that threshold will probably prove quite low.
The GDPR will make data processors accountable for data protection and subject to fines for the first time.
“Data processors or suppliers will also have to notify customers (data controllers) of any data breaches immediately, and data controllers will have to keep a record of data breaches, which means they will have to have monitoring and other systems in place to support this,” said McKean.
The other big change, he said, is that failure to comply with the GDPR will result in revenue-based fines that could prove much higher than the current cap of £500,000 for monetary penalties that the Information Commissioner’s Office can impose for breaches of UK data protection laws.
Under the GDPR, fines for non-compliance could be as high as €100m (£70m) or up to 5% of a company’s annual global turnover – although some commentators believe this will go down to 2%.
In the light of these changes, he said UK firms should change their incident response processes to include legal involvement – either internally or externally – from the start, to ensure that any forensic reports produced are protected by privilege.
GDPR deadlines loom large
However, the time remaining to start putting process changes into place is relatively short, according to McKean, who said that sources close to the negotiation process believe an English text for the final version of the GDPR will be published by Christmas 2015.
“The GDPR still has to be translated into all official European languages, which is likely to take two to three months, but that means the clock could start as soon as March or April 2016,” he said.
After that, European companies will have just two years to ensure they have all the processes up and running to comply with the GDPR when it becomes law.
“This is not a particularly long window for companies to move from tick-box compliance to real compliance which, for many companies, will require changing the whole way they deal with data – two years is not a lot of time to achieve that transformation,” said McKean.
How to build GDPR compliance
However, he set out some guidelines for UK companies to build better compliance capabilities in the time left.
“Engagement with the business is key to transforming businesses in preparation for the GDPR, and not using words like ‘legal’ and ‘compliance’ helps with this,” said McKean.
“Find something that resonates with as many people in the business as possible – such as the issue of security breaches and the general concern about fraud, which makes it fertile ground for building engagement.”
War games or cyber attack simulations provide another useful way of building engagement, by involving people from information security, information technology, communications, legal and any other people who form part of the organisation’s crisis team.
“There is real value in providing this networking opportunity because, when there is a breach, all the people who need to deal with it will have already met each other and worked together on similar scenarios in a simulated crisis situation,” said McKean.
The 10 Data Commandments
In building engagement, he said, it is important to keep it simple and follow ten “data commandments” that Olswang has compiled.
Be transparent. Tell people why you are collecting their information and minimise it wherever possible. “If you don’t have to collect data, then don’t – because the more you collect, the greater the risk,” said Mckean.
Justify it. Ensure there is a good reason for collecting personal data. “And ensure you have the necessary consent that is likely to be required by the GDPR,” said McKean.
Respect freedom of choice. There is no legal requirement to build a “preference centre” but McKean said that, by doing so, companies can build trust with customers.
Avoid surprises. “Don’t surprise people. Surprises lead to claims,” said McKean.
Keep it secure.
Do not keep it too long. “When we do audits we often discover very old information, but now is the time to tackle the challenge of data retention and data wiping because compliance is much easier if there is less data involved,” said McKean.
Comply with data transfer restrictions.
Take care of suppliers. “This is important, because the weakest link is often somewhere in an organisation’s supply chain. What we are likely to see, as a result of GDPR, is much greater focus on governance, transparency and audit throughout the supply chain. Again, real compliance rather than tick-box compliance,” said McKean.
Do the right thing. “In the brave new world after the GDPR comes into force, it is about doing the right thing and being seen to do the right thing,” said McKean.
For any company faced with a substantial fine, policies, privacy impact assessments and other ways of documenting decisions will be extremely important in demonstrating what the company has done to comply, said McKean.