Changes to EU Data Protection law mean that UK businesses will no longer be able to get away with sweeping news of a data breach under the carpet. The terms of the EU’s General Data Protection Regulation (GDPR) have been finalised and countries now have two years in which to adopt the new rules before they become the law in 2018.
Until now, the UK and several other have countries have been allowed to translate the principles of the EU’s Data Protection Directive into their own set of standards – ours has been known as the UK Data Protection Act. However, the GDPR requires all member countries to adapt their existing laws and adhere to much stricter policies.
It is imperative that UK companies realise their increased responsibilities in remaining compliant with the changes in data protection law. Those that do suffer a data breach will be liable to much larger fines under the GDPR regulations.
Currently, the Information Commissioners Office can fine firms up to £500,000 for a data breach. However, the GDPR will apply revenue-based fines which could potentially be higher than the current set limit. The increase will be penalty fees up to EUR 100M or 2-5% of a company’s annual global turnover.
The GDPR requires companies to inform their customers of a data breach when there is a high risk of loss to that person. High risk is classified as including the possibility of fraud or identity theft, so potentially most data breaches will fall into this category. This is particularly important in the loss of sensitive data from a Chambers IT system, where all client data should be considered highly confidential. Law firms must follow their own industry regulations to the letter in the case of a breach – these include informing their own bank, their professional indemnity insurer, the SRA and the police as soon as they are aware that a breach has occurred. Failure to do so could result in closure of Chambers.
For the first time data controllers will be held responsible for information loss and will be liable for the imposed fines.
Ross McKean, a partner at law firm Olswang explains
“Data processors or suppliers will also have to notify customers (data controllers) of any data breaches immediately, and data controllers will have to keep a record of data breaches, which means they will have to have monitoring and other systems in place to support this.”
Of course, with advancements in cyber threats gaining pace on a daily basis, there is always the possibility that a data breach will occur. So how can a firm such as Chambers protect themselves in the event of such a disaster?
Data Breach Plans
All firms should have a disaster plan created so that there is a clear process in place in the case of a data breach. Having such a document will help to convince regulatory bodies that a firm has taken reasonable steps both before and during an incident to uphold their responsibilities in protecting sensitive data. Legal firms in particular will be under increased scrutiny to make sure that their compliance procedures are followed.
All staff should be given regular training as part of an ongoing program. The aim should be to educate users on the current threats and how they can modify their typical behaviour to reduce the possibility of a company data breach. This might include reiterating the importance of not clicking on untrusted links within an email for instance.
Lead By Example
Ensure that all senior management are onboard with the importance of respecting data protection procedures set out by your compliance and IT departments. If managers lead by example, then it will ensure a zero-tolerance approach to negligent behaviour within the workplace for actions such as the sharing of passwords between colleagues.
Firms should keep clear documentation detailing their processes, security logs and proof that the company has done everything they can to comply with data protection laws. Your company might have a good reason for following a different approach to the best-practices which are laid out by the IT security industry. If this is the case then make sure that your reasons for using a different data protection strategy are also documented in full.
We are IT security professionals who specialise in assisting Chambers meet their data protection requirements. To find out how we can fully secure your IT systems and protect you from a malicious cyberattack, contact us for a consultation about your existing and future security requirements. Want to know more? Get in touch today.