While direct marketing agencies and data firms have been having sleepless nights over whether their marketing data will be rendered illegal by the EU data protection reforms, the new rules on data breaches threaten to wreak even more havoc, triggering huge fines for both the company and its staff.
That is the dire warning issued by Ross McKean, partner at law firm Olswang, who claims the mandatory breach notification requirements are likely to make concerns over consent for marketing data seem like a small sideshow.
Speaking at Context Information Security’s Oasis symposium in London, McKean explained: “Currently there is no general data breach notification requirement in the UK, and most firms choose not to go public if they can avoid it, to avoid taking a hit on their reputation.”
But the EU’s General Data Protection Regulation (GDPR) and Network Information Security (NIS) directive – both expected to be finalised by the middle of 2016 – will change that, making notification of most data breaches involving personal information mandatory.
Citing the case of US retailer Target – which saw a 46% drop in quarterly profits following a major data breach – McKean said costs directly related to the breach were reported to be around $252m and triggered the exit of both the company’s chief executive and chief information officer.
“When things go bad, this is what can happen,” warned McKean, adding that UK companies should look to the US and learn.
The GDPR will bring fundamental change in the UK, he said, particularly regarding breach notification, because the law will apply to every data controller and service provider that touches personal data.
The GDPR is expected to require notification only if there is a “high risk” of loss to the individual – but McKean said that, considering “high risk” is defined as a risk of fraud or identity theft, that threshold will probably be quite low. And it will make data processors accountable for data protection and subject to fines for the first time.
“Data processors or suppliers will also have to notify customers (data controllers) of any data breaches immediately, and data controllers will have to keep a record of data breaches, which means they will have to have monitoring and other systems in place to support this,” said McKean.
Failure to comply with the GDPR will also result in revenue-based fines that could prove much higher than the current cap of £500,000 for monetary penalties that the Information Commissioner’s Office can impose for breaches of UK data protection laws.
Under the changes, fines for non-compliance could be as high as €100m (£70m) or up to 5% of a company’s annual global turnover – although some commentators believe this will go down to 2%.
However, if the new rules had already been in place when TalkTalk was hacked last month, it could be facing a fine of nearly £90m, based on its turnover of £1.8bn. That is in addition to the £35m in one-off costs, it has already set aside, and the cost of any resultant legal action from customers.
McKean is urging UK firms to change their incident response processes to include legal involvement – either internally or externally – from the start, to ensure that any forensic reports produced are protected by privilege.
However, the time remaining to start putting changes into place is short. Once passed, European companies will have just two years to ensure they have all the processes up and running to comply with the GDPR when it becomes law.
“This is not a particularly large window for companies to move from tick-box compliance to real compliance which, for many companies, will require changing the whole way they deal with data – two years is not a lot of time to achieve that transformation,” said McKean.
Experian and TalkTalk set aside £50m – and counting
TalkTalk chief hits back: we’re just the punchball
TalkTalk under fire as 4m customers hit by hack
EU data reforms already ‘out of date’
Firms left in lurch over EU reforms
Digital body rages over EU reforms
EU to thrash out data reforms at last
‘Gutted’ EU reforms bring DM cheer