Hello and welcome to this webinar entitled Dealing With Security Breaches under the GPR. My Name's Kings Market. I make commercial lawyer who has many years experience off dealing with days protection related issues and has been dealing extensively with GPR since it came into force on the 25th of May 2018. Now, of course, there are many issues to discuss in terms of GDP are but focus for dominant today on the issue of security breaches, which is one that has exercised a great many mines, frankly, and reality, hasn't it? We're going to see what you need to be doing about it, what the rules are, and also what the information commissioner's recent thinking about this is in terms of hoping forming the way that you will deal with this particular topic. Going forward, I'm looking are generous, will begin with a limited backgrounds, not too much that we'll talk about the rules on notification and communication. Working on two case studies on also, look a documentation that you need to be familiar with, together with the various Siris of links to the icy those websites and finally, some specific tips from the I C E o about how you can prevent this or did how to react. If you do have a security breach, let's begin that by looking at the background. So let's take him up to read on the screen for me, please. GDP, our principal six. Take a moment to choose that over and then already through, make one or two comments about it. So personal data to be processed in a manner that ensures appropriate smoke. That word appropriate security off the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using. And here's your key phrase, appropriate technical or organisational measures. Now that phrase appropriate technical organizational measure is one that is throughout the GDP are and indeed the data protection Act 2018 and therefore you need to be familiar with it. And essentially, what it shows is this is not a one size fits all approach is you're making a risk assessment about how much information of God, how sensitive is it? And then what I put in place is a counter balance that out now, of course, typical problem that does arises what we might call a personal data breach I'm not gonna look at what that means in practice. Define That was slightly more detail and they were gonna go on to look at the specific requirements in terms of what you need to do. If you are unfortunate enough to be on one to be on the end of one of these in practice, personal data breach them defined as far as we re about to you. A breach off security there are talking quietly about a breach of security leading to the accidental or a waffle look. Those two possibilities accidental or unlawful destruction, lost alteration, unauthorized disclosure off or access to personal data, transmitted store or otherwise process has really important to understand the breath of that particular idea of personal data breach. How about that? The next slide and you'll see that the European Dates Protection Board, the Europe wide regulator, has produced guidance on this particular topic that takes on definition and expounds it into three specific areas again. Have a look of those three things on the screen and ask yourselves, wish ones you would have necessarily associated with the idea of personal data breach before you came on to this session today steak, amongst other. Look at that, please. So we have a confidentiality breach workers and authorized or accidental disclosure off or access to personal data. I reckon you'd have certainly had that in your mind when you think about personal data breach, availability, breach, an accidental or unauthorized loss of access to or destruction of personal data, less likely overthought and then integrity breach, where there's an unauthorised or accidental alteration and personal days even less likely, this is not just about essentially simply stealing something or hacking into your system on doing various things to it. It's about actually loss of access destruction alteration very, very broad. And again, the phrase behind all of this is, is on what I like to call a friend or foe basis. It's either done in an unauthorized fashion. Buy something from outside your organization or simply acting rogue within your organization. Orson accidentally. So the breath of this is actually quite significant. It's not just about where some hacker hacks into your system and brings it now or steal something. Credit. Cartman will something like that. It's a lot lot broader than that. It's about your junior Clark accidentally deleting a particular file as an example. So what are the consequences that could emerge of this? We'll see what is importantly. Toronto. Let's just set out what those consequences may be. Well, first of all, on pretty much every occasion with regard to a personal data breach, there is a loss of control over personal data that's pretty much taken as read. Always. That's why is first on the list. It may then lead some of the other things that you see on this list. Financial loss, identity, full theft, damage to reputation, economical, social disadvantage on discrimination. Now we're not gonna focus on the issue of compensation today. But ultimately, if any of those consequences could give rise to a claim for compensation either respect of financial loss or non financial loss. And that's something that's continuing to be debated at the minute at some length, as to the extent that people could recover for compensation if I was gonna go the session coming up on my issue with Days Lord in their future. Now the sooner we can pass those consequences. One of the rules historically into the Data Protection Act 1998 there was absolutely no obligation to tell anyone anything about personal days Bridge. It may have been a good idea and certainly the regulation encouraged it if it was a particularly serious breach on, Typically, if you did cooperate with her, she would be more lenient in the way she treated you. However, since the GDP are came into force on the 25th of May 2018 it is now compulsory to notify the regulator and in some cases, the data subjects affected, depending on the precise nature off what has gone on. So let's have a look at what those compulsion requirements now are. And then we're gonna talk about how we might do with this practically So here we see on the first slide GDP are most vacation Article 33 where the breach. So whether personal data breach that we have talked about is likely to result in a risk. Please underline that word or highlight that word in some way. This is extremely important where there is. It's like the result in a risk to the rights and freedoms and natural persons on the controller must notify the supervisor authority in our case, the I c e o, without undue delayed classic phrase here, though not later than 72 hours from awareness. So no to 72 hours. They also know the phrase awareness, which is then defined in the European Days Protection Board's guidance as the following a reasonable degree off certainty. But the security incident has occurred that has led to personal data being compromised. Those are the key considerations, and we'll see a little bit later on. That's something the ice here will be looking at quite carefully, and it's quite content to criticize you over if you take too long to report. Once you have an element of awareness. Now what must you tell the I c e o Well, hope this is very old hat to you at this point, well after the GPR came into force. But your obligation is what you see here. On the next slide, you must tell them the number categories of days of subjects number of categories of records likely consequences. We just talked about those measures taken, which is extremely important to mitigate your risk here. And finally, details of your data protection offset if you have one. If you don't, you will be required to provide details of some senior figure in your organization as the point of contact. Now we will see shortly that the icy has produced a box standard form. With regard to this, I'll be alluding to it in a little while and also linking you to where you can get to it if you want to. That, however, is just stage one. Stage two requires you in some cases, as I have already mentioned, to communicate what's happened to the data subjects effective. But the key phrase immediately on this slide is that only whether is a high risk to the rights and freedoms of data subjects. So all of this comes down to risk assessment, and we'll see what the risk assessment factors are. Interesting moments. But remember, my all personal data breaches will pose a risk or a high risk. You need to make that assessment that judgment and decide what you're going to do about it Now. If you do decide that ultimately we do have a high risk here you will have a requirement to now communicate to the data subjects affected without undue delays of mo time period without undue delay. Using clear and plain language. What was. You communicate well, what's on the previous slide? About a number of categories, type of danger and so on. So so buddies replicated Just what you told me, I CEO. You should also be telling the individual affected light. It is extremely important at this point before we move to the risk assessment to acknowledge that there are two key exceptions in respect to communication. The 1st 1 is what we call appropriate measures. Or perhaps a better way of describing that is to talk about preventative measures. You did something in advance so that when the breach took place, the impact of it was minimal. On the gas. Example here is to suggest that the information is then in an unintelligible four. The best example of that is, if you've been corrected it. So if you lose something that's encrypted, chances are the argument is that it's an appropriate measure in place. The personal data is unintelligible. Therefore, there's no ah, high risk. That doesn't necessarily mean you don't tell the i c e o. But it was certainly you do not need to tell the individual affecting. That's a really, really significant point in the circumstances now since, as you want to take preventive, appropriate measures, you may have to try and descending after the event. That is what we call example subsequent measures, meaning that the risk is unlike its a materialized example. You news, you lose a smartphone. That smartphone has not got a PIN code on it or some other form of encryption. But what you do is almost immediately white. The content remotely and you can wipe the constant remotely than arguably the risk is unlikely to materialize again. You do not need to tell the individual affected How do you reassess this was? Well, we assessed this risk using the five factors you see on the next slide. We look at nature, sensitivity and volumes, in particular the grace of sensitivity of the information, the grace of the volume of what was lost. The grace of the risk ease of identification does what it says. 10. So if I were to lose some information has got a particular person's name and face plus total over, it is easy to identify. The data subject was affected. However, if I lose some four groups, fuel spreadsheet is very difficult to navigate around unless you got particular knowledge again. The risk is going to be lower. Severity of consequences. We talked about sort of. The financial ones are like to push up the level of risk. Special characteristics is about the nature off the date of subject. So we've got Children or vulnerable adults again. The suggestion is they are easy to exploit, so the risk is rising with regard to them. Finally, we got the number of individuals. Unsurprisingly, the general consensus is the grace of the number of individuals, the greater the risk. However, if you read the IGP beings guidance in detail, you will note that they and indeed the information commissioner, make it clear that numbers on everything you can still have ah, high risk where it's a bridge racing toe. One person, if there's a sufficiently large amount of information that it lost, right? How do we deal with all this? Practically that? Because that's all very interesting by way of the background to this. But how do we do with it? Practically well, here we go. Breach documentation. Article 33 5 says the controller shall document any personal data breaches comprising the fax its effects on the remedial action. Take it. Documentation shall enable the supervising authority to verify compliance. So you got four boxes at the bottom of this and in a minute, we're going to apply some of this to some case studies. But before we do, that's ever think about the four boxes. You're gonna have to list out the fax in a minute. I'm gonna show you how you might do that. You must list out the impacts of glass, what you've done about it on your reasoning and the key thing to notice. You must make a note of this if you're not familiar with this, is that even if your reasoning says we do not need to tell the i, c, e o and all the individual, you must make a note of that reasoning because the icy ultimately has a right to request that information from you. So let's apply this Nelson case that I got 42 on each of these two slides. Never gonna put this into more specifics. In a documentary type scenario, I look in these 1st 2 case that you see, the bridge is described on the left hand side. They got columns for end which stand for notifying the i c E o yes or No Tickle Cross. They got see communication to the individuals affected again, yes or no Tickle Cross. You may wish to have wanted comments of Europe's take a minute to think about those to put your ticks and crosses in there. We want to talk about one of two other examples as well. So an individual phones your firm to report a days of rich individual has received a medical report intended for someone else. Is there a risk here? Absolutely. There is potentially a risk here because the medical report about that person ease of identification, sensitive information. It's only one person. It's very sensitive information so that you're almost certainly gonna have to tell the I c e o. Is that are high risk? Maybe. I mean, you may decide that you're gonna deal with this proactively anyway, regardless of what your thoughts are about high risk again. To me, the high risk is about the content, the level of the information contained in this report. It is particularly intrusive, and it's got a lot of information about their medical records, and absolutely, you may well have to tell the individual affected, rather next woman. A direct marketing email is sent to recipients in the two or copy feels they can all see each of those email addresses. This one is deliberately left more very because we don't know how many people we don't know precisely what can be seen and in particular, what the marketing emails about. So here. If you've got thousands or tens of thousands of people who can see each of those email address, then you probably got elements of risk. Whether that's a high risk will really depend a Walt the email is about. It's about people who are being emailed about whether they'd like to buy some medically related products or their parts of particular religious grouping or political affiliation or something to that effect. All that special categories data and therefore I think, is pushing the risk up. But for now, we generally don't know here without more information. Well, I have over the next two, particularly the 1st 1 to start with. 2nd 1 on here, we're gonna use is the basis of medical case study off a slightly greater degree and depth in just a moment. Let's take about to read that for me, please. So your firm stores a backer of an archive of personal data encrypted on a CD CD is stolen during a break in what we think? Well, for me, I reckon you've got an example here. Preventative measures. Therefore, I'm not going to tell the I c e o. And I'm not gonna tell the individual effective, full stop. I think there is no risk or very low risk, and therefore, I'm not tell either of them. Now some people may beg to differ with me slightly. Here may instead say, I'm gonna tell the I c o, but not the individual. It's up to you, the bear in mind. We're going to see in a minute the icy records that there's been a fairly significant over reporting that's taken place since GDP are came into force. At least 30% of the reports they've received what unnecessary according to the i c e O. And that could well for within unnecessary report in reality. Now, the 2nd 1 we don't look at now through various documents, personal details or personal data of 100 clients and mistakenly sent to the wrong mailing list with more than 1000 recipients. How would you deal with that? Let's have a look there that leads us that into the issue off documentation and how we were document that breach in how we would deal with it. So we need to have a data breach log. We need to use the notification template. I'm going to think about a Communication Templar in practice. Let's look at each of those intern again. These are my suggestions. I'll be pointing you towards the I CEOs own document, pulling out some of the key questions from that as we go along home for That would be helpful, but of course also what you need to take this to the specific circumstances. Izel Data Breach log. Then again, I've simplified this, but I've got here the fax spreadsheets showing its personal data of 100 clients mistakenly attached in center of 1000 people effects, potentially identity fraud, elements of anxiety and distress. Perhaps revenues were suspended. All of these mailings were given specific guidance. Internet emotion is not repeated. Clients have been informed, have been asked to delete the reasoning that we are reporting. We need to report. Here's a number of people affected sensitivity of the information, a severity of consequences. Now I have truncated That's somewhat. You could certainly expand that quite easily. But that is the sort of basic stuff we need, followed by the reasoning. Now, what about the notification and communication elements that well, there is a specific notification form that the ice here has produced, which you got to submit via the Internet, or you can use it as the basis for a telephone. Conversation with them are strongly recommend. You do use this. There is no point reinventing the wheel if the regulations produce such a document but couldn't say Use it. What's the point of atheists? So I've now picked out in the next couple of slides some of the key things from that form. In terms of the key questions, they will be asking you some obvious things on this first line. We've already mentioned these, but let's be clear. Details and individuals affected 100 individual clients of the firm type of data client data relating to matters ongoing. In some cases, it may be multiple matters, of course. You may expand that to say it's wills and probate or family or crime or mental health or corporate. Whatever else happens today, details of your GPO While I put John Smith in here for lack of originality again, remember, you may not have a d p o for many of you watching this. You may well not have a specific requirement to have a deep eo. However, you are gonna need to put somebody's name on this to be senior partner, general counsel. Whoever else happens to bay now again, we then got a description off the likely consequences which we pull over from the previous slide. And also the measures take here. Now Those are the obvious steps. There are that a couple of other things you need to think about in terms of the content of this form. First of all, rights, the beginning of the form. You'll be asked whether this is an initial or follow up report, and that's important because of the awareness discussion that we had earlier. You'll be asked to describe the breach. We're kind of done that it was a cyber incident. There are additional questions on this particular occasion. It's not what I would call a cyber instance. I will leave that to one side. Then they want to know how you found out about the breach, What you discovered it of when the breach happen. And this comes to your awareness on again. Let me underline that the information Commissioner is very hot on this 72 hour period. It takes the view. She does not expect you to wait until you got every I dotted and every t crossed. She expects an initial report. And then, as you can see, the language is initial report followed by follow up report in the circumstances. So don't leave it too long thinking I've got to get it all together. The expectation is you will get enough that you can send it to her and then you will follow it up with more detail in due course, extremely important to get that clear in your mind. Other things that you have to look at issues, training, there is a specific requirement or a specific request on that for for information as to whether the individual or individuals caught up in this breach have received dates protection training in the last two years. Hopefully they have if they haven't, it starts me thinking about improving your processes. So regular updates are given with examples of enforcement action, perhaps make sure people are aware of their procedures on. We're going to see some specific specific tips from the icy on this very, very shortly. Then they'll ask you to explain a delay. I've gotten over that. So I'm not going to say that again last you to describe what actions you've taken. Have you communicated with the individuals affected? Have you communicated with other organizations that might be the police, for example, and again, the contact details. So all of that law is found within the idea of this notification template that the I C E. O is produced. Please use it. It will make your life a lot easier. Now we don't have one final thing to note before we look at some final tips on this communication template. Wise note that this is just my own document. There's nothing particularly out there again. You need to describe those four things somewhat. We go over them again. You would use a similar level of detail, but it must be in clear and intelligible form is everything to note now. Where can you find further information on this. Well, thankfully, you'll see there a variety of links to the eye CEOs guidance. The top one is a notification form, or but you need to scroll down a little bit, find notification form and click on it to download it in practice. Right? What has our regulator had to say about this? What was various tips? And these are from very recent documentation. They're actually found on those various links that you've just seen on the screen in front of you. So first of all, let's talk about prevention. It's gonna read these through very briefly as we begin to bring this section two sounds avoiding loss or theft of personal data. Then understand what you've gotten where it's stored, checking security of the storage. Is that keyword appropriate? The greater the sensitivity, the greater the steps you will take. Have a clear policy about taking personal data off site memory sticks, smartphones, laptops, devices. Make sure you know what the policy is and make sure people stick to it. Make sure you've got adequate security that could be encryption or two step verification, but that is not an absolute requirement. Now, what about avoiding unauthorized access well access limited to those who need it having a confidentiality policy and above all, making sure people know it's there, what we're supposed to do and what happened to them if they breach it. Saving falls to restricted areas. I don't let everybody access the same information on the obvious chestnut of not sharing passwords. Albeit we know that sometimes a little difficult to police. Finally, how to avoid sending data to the wrong person. He's one of the three areas that are the best examples of things going wrong. Well disabled. Also complete function in terms of addresses. Check record management systems. Inshore mechanisms are in place to double check addresses before sending personal data. And make sure people have trained on understand the implications of this cannot on the mark on the line, on the mine, on the line, the importance of training and others not to come from. Maybe you can come from you quite easily, but again, these sorts of typical simple ideas suggested by the i c e o. Put into your policy document communication to your employees. Put in a very good position to try and resist enforcement action on hopefully to prevent these things happening in the future. Two finalists from the I, C E O. And we finished preparing for a personal data bridge. Questions to ask of the organization. Do we know how to recognize one of these breaches? Do we understand the personal data breach isn't just about loss or theft? Have we prepared a response plan for managing any personal data breaches that occur? How were allocated responsibility for managing reaches to a dedicated person or tape? Do our staff know how they escalate an incident to the correct person? Nothing remarkable there. But it's important to get this right. And then it says, responding to a personal data breach Do we have in place a protest to assess the likely risk that I've thought about? Do we know who the relevant supervisory authority is? Nobody will be the I c E o. You do a cross border. It might be another one. Do we have a process than notify the I c E o within 72 hours? Do you know information? We were skint to the or CIA? Finally, Do we have a process to inform affected individuals? Do we know what we must inform them well doing indeed. Know that we must inform them without undue delay. Do we know what information was provide on what advice it was? Provide. And do we document all these breaches, even if they don't all need to be report? So let's summarize all the rest is a lot to take in, but this is extremely important for you to get this process. We have seen that the personal data breach definition is wider than you might think. So make sure you note, that's note that you've got notification and communication requirements in certain circumstances. But ultimately, most of this is outer having clear documentation. So knowing what the icy road demands of you also making sure that your people are aware of their obligations and stick to those obligations in practice. Right, Well, that's all I got to say, Please, to have a look at those leaks. They're extremely used before you. So it's always thank you for your kind attention. I don't speech again sometime in the future. Thank you. And good. Touchy
Webinar
Slides
Quiz 
1116 Users
19 Courses
16 Reviews
