Losing personal information through a corporate data breach could be about to become more expensive, if a new amendment to the Data Protection Act 1988 (DPA) becomes law. Yet, while protecting personal information is difficult, a solution exists that both facilitates compliance and delivers big business benefits.
The Data Protection Act (DPA), which is designed to protect digitally stored personal data, is about to be joined by the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018. The GDPR is intended to strengthen and unify data protection for all individuals within the European Union (EU) by giving control back to citizens and residents over their personal data and simplifying the regulatory environment by unifying the regulation within the EU.
The overall effect will be to increase both the size of penalties and the likelihood of penalties for companies holding personal information who allow that data to be released into the hands of unauthorised third parties – such as hackers. Thus the risks associated with data breaches will increase.
Looking back for a moment, we can see that digital technology has always been freighted with risks alongside the benefits. However, while most companies have had only reputational damage to contend with – although even this can of course be catastrophic – the DPA has added legal penalties.
For example, following a data breach in 2015, Carphone Warehouse was recently fined £400,000 under the DPA for what the Information Commissioner’s Office (ICO) described as a series of "systemic failures". These included not patching software, lack of rigorous controls over logins, lack of AV software, over-use of root on servers, and storing credit card details without good reason.
Getting it wrong is expensive
Larger companies might consider that a fine such as that attracted by Carphone Warehouse is a tolerable and less costly alternative to initiating and managing complex compliance procedures. However, this is failing to consider a range of other, costly factors.
Figures from the UK government and PwC have indicated that the average cost of a security breach for big businesses was around £1.46m in 2014, according to one corporate governance company. And the BBC reported that TalkTalk estimated a data breach following a hacker attack in 2015 could cost it up to £35m. This is before you calculate the cost of reputational damage, which one analysis revealed can double the direct costs of a breach.
However, the DPA's provisions may be further beefed up, if an amendment to the Act being considered by the House of Lords becomes law.
Right now, one of the problems with the DPA identified by some members of the House of Lords is that, in order to bring a case, lawyers must obtain the consent of individual injured parties. So an amendment, tabled by Lord Stevenson of Balmacara and Baroness Kidron, would enable cases to be brought on behalf of all victims, without first seeking their permission, unless they opted out.
This would result in a company being exposed to higher compensation payouts if it failed to stop data breaches. It would also make it easier for customers and others to sue companies who are careless with personal information. As a consequence, compensation payouts for companies who fail to staunch data leaks are likely to rise.
Baroness Kidron is reported in The Times as saying: "I think the amendment’s greatest value may be in getting companies to take data protection seriously in the first place."
How to respond
It is important to recognise that security is a moving target: the hacking world is dynamic, as are most businesses. We are unlikely ever to arrive at a point where the security effort can case because the data are secure. Instead, it is more realistic to aim for data protection that is as good as is reasonably possible, a posture that is likely to be legally defensible.
And given the need to comply with both the DPA and the GDPR, it is clear that a fundamental requirement of securing personal and other data is an understanding of where that data resides and how it is being used – despite its dynamic nature.
So compliance with the GDPR will entail the deployment of tools that enable visibility into those dynamic data flows and processes – tools such as trust-hub's unique, modular platform which enables personal data to flow securely through your business, adapting to operational needs and supporting regulatory compliance.
This will enhance the protection of personal data, and potentially mark a new beginning for customer relationships.
Along with a culture shift which sees the security of personal data as a fundamental process, baked into everything that the organisation does, an emphasis on protection of personal data is likely to result in stronger engagements and trust relationships with customers. In turn, this will enable organisations who are able to demonstrate such trustworthiness to enhance the attractiveness of their business to potential customers. The bottom line can only benefit.