GDPR breaches – the latest scare story?

Posted: 30/10/2018


So here you are. October is almost over and the nights are drawing in. All those long hours worked earlier in the year, getting your GDPR compliance up-to-date and all your marketing consent forms ticked – it is all over! You can sit back in a comfortable armchair beside the fire, and sip your cocoa. There is nothing in the world to worry you – until the silence is shattered by your colleague screaming that they have found a data breach! 

Who you gonna call?

Do not get spooked!  Yes, the fines might be getting bigger and the publicity scarier – but suspected GDPR breaches are like ghost stories on Halloween – there are lots of them, they are completely inevitable, most will turn out not to be real – and of course, the only way to stop them scaring you is to talk to someone. So don’t sit around hiding in the dark, waiting to be spooked – make a plan and know who you’re gonna call (sorry this just gets cheesier).  In case you haven’t worked it out yet, it’s us!  The number is at the bottom of the page.

But when are you going to call? Well – as soon as you think there might be a breach.  Don’t wait until you’re sure – get us involved as soon as possible, and we can help limit the horror.  Depending on how serious it is, there are up to three steps that you will need to take – and we can help you work which apply. 

Step 1

All breaches (whether there is any actual loss of data or not) must be recorded internally, and recorded clearly – as could later be inspected by your "supervisory authority". 

Depending on the breach, you should also consider notifying your insurer.

Step 2

Any breach which affects the security of personal data within your control must be notified to your “supervisory authority” (generally the Information Commissioner, but not necessarily) “without undue delay” and generally within 72 hours of the first ghostly sighting.  Given it will take you a little while to start breathing again, confirm whether it really was a ghost, work through your procedures and then seek help – that doesn’t give you very long!  It’s best to plan now – so that when needed, you have an action plan you can put into effect smoothly, and reduce the scary possibilities as soon as possible.

Step 3

Certain breaches also have to be notified to the individuals whose personal data has been affected by the breach.  Depending on the size of the breach, this could be a lot of work for you and your team - and if you handle it badly, your customers won’t just be scared, they’ll run away.  So, protect your business by asking our advice - we can help you identify those breaches which need to be notified in this way (and may surprise you with which do not), the likely consequences of the breach and how to mitigate those – and assist with the method and wording of the notification itself.  

“I ain’t afraid of no ghosts” 

No sensible ghost-buster sits around, unprepared, wondering if a ghost to show up - and no sensible organisation controlling personal data sits around waiting for a breach to happen.  Data-savvy organisations who regularly review their technology and security procedures are more likely to spot potential spooks and spectres, meaning they can hopefully remedy the problem before it’s materialises into a House of Horror spectacular.  You need to consider now (not once you’ve had the first spooky sighting) how you will keep your data safe, with regular checks and audits.

But a word of caution for you, ghostbusters – there are twists in the tale! 

  • Announcing too many spooky sightings, patch updates or false alarms, and your customers may question whether you were ever suitable to be in business in the first place! 
  • Equally – trying to stifle news of even a single bump-in-the-night could backfire, if news later leaks outEarlier in the year, Google identified a problem within their Google+ platform and fixed it.  No data was compromised, no breach needed reporting and all seemed well – until news of the problem leaked some six months later, spooking the market and resulting in the platform now being shut down for loss of confidence.

So, when you devise your ghost-busting plan to keep an eye on your data, take some time to consider how you might communicate any ghostly warnings to your staff and customers as  well – ensure no horror stories are left circulating, long after the ghost itself was busted!


Return to news headlines

Penningtons Manches LLP

Penningtons Manches LLP is a limited liability partnership registered in England and Wales with registered number OC311575 and is authorised and regulated by the Solicitors Regulation Authority. San Francisco is an associated office.

Penningtons Manches LLP