Data Protection Breach by an Employee

As your online presence increases, so does the risk of people stealing your personal data.

And if you're an employer, your business needs secure data protection. Otherwise, you're at high risk of suffering legal action, GDPR fines and reputational damage.

Personal data breaches are a threat to your business. Which is why you must follow the law accordingly.

In this guide we’ll explain what GDPR is, how to avoid a data breach, and how to comply with UK law.

What is GDPR?

GDPR stands for general data protection regulation. And aims to give more control to individuals when it comes to their data.

The law came into effect in 2018. And applies to EU countries, as well as the UK.

Who does GDPR apply to?

Every business should follow GDPR.

GDPR laws outline three personal data factors to consider:

●      Data subjects: This is who the personal data relates to.

●      Data controllers: This is the individual or business who decides what data to collect and how.

●      Data processors: This is the individual or business who processes personal data for the controller.

The Data Protection Act 2018

The Data Protection Act is a UK law that controls how businesses and organisations manage your personal data.

Organisations, businesses, and even the government have a legal responsibility to protect personal data.

Any person or employer storing this data should follow the data processing principles. Which you can find under the Data Protection Act.

Data processing principles

Data processing principles are a set of strict rules. They act as a guide to storing personal and sensitive personal data safely.

The seven data processing principles are as follows:

• Lawful, fair and transparent: You use the data on a lawful basis, fairly, or transparently.
• Limited: You use the data for specific purposes.
• Data minimisation: You are explicit about the data's use and purpose.
• Accuracy: The data contains accurate information and is up-to-date.
• Not kept longer than needed: You keep the data for the length of time it is needed.
• Integrity and confidentiality: You keep the data secure and private.
• Accountability: You should have appropriate measures in place to manage data.

Compliance with these principles is a good start for those storing personal data. And those looking to implement strong data protection practices.

What rights do data subjects have?

Under UK GDPR, data subjects have certain rights in regards to how third party services process and control their personal data.

These rights include:

• Right to opt-out: They can ask to delete their information from any company’s database.
• Right of access: They can review their own data collected by companies.
• Right to object: They can reject any request for unlawful processing of personal data.
• Right to rectification: They can ask to change or amend their information.
• Right to portability: They can ask for access to their own data and transfer it.

What is personal data?

Personal data refers to information about an individual. Information about companies, organisations or public authorities is not personal data.

The law states that stored personal data cannot:

• Identify an individual.
• Indirectly identify an individual when combined with other information.

Examples of personal data include:

• Telephone numbers.
• Email addresses.
• Home addresses.

Identifiable factors

An identifiable factor is a recognizable detail of a person. If processed data includes an identifiable factor, this breaches GDPR.

Identifiable factors include:

• A person's first and last name.
• An identification number.
• Location details.

The Data Protection Act provides a list of identifiers should your business need to refer to it.

What does GDPR compliance look like?

You should ensure you are GDPR compliant when dealing with the personal data of employees and customers. To be compliant with GDPR, you should ensure you follow certain practices.

This includes:

• Obtaining consent.
• Lawful data processing.
• Secure data protection.

Let's explore these examples in more detail.

Obtaining consent

You should obtain consent when storing personal data.

Lawful consent will:

• Explain the reason for stored or used data to the individual.
• Explain how those responsible will manage stored or used data to the individual.

For example, an employer may want to obtain consent from their customers for marketing purposes.

To do this, they may send an email giving customers the chance to confirm their marketing preferences. This will give them the option to opt-in or out to future marketing communication.

Lawful data processing

To process personal data, you must have a valid lawful basis. You do not have a lawful basis for processing if there is another reasonable and less intrusive way to achieve the same result.

There are six lawful bases under UK GDPR.

These include:

• Consent: You have received consent from the individual.
• Contract: Processing the data is necessary for a contract you have with an individual.
• Legal obligation: You have a legal obligation to do so.
• Vital interest: You have a vital interest in doing so. For example, the data could save a person's life.
• Public task: It's necessary for you when performing a task in public interest or for an official function. The task should have a clear basis in law.
• Legitimate interest: It's necessary for your legitimate interests.

A data subject can override these bases if the information is special category data.

Processing special category data

Special category data is also known as sensitive data. Processing special category data has a higher risk than any other type of data.

Examples include:

• Bank account information and credit card details.
• Health, biometric data or medical records.
• Details of ethnic origin, religious beliefs, or sexual orientation.

Because of its sensitivity, special category data needs to be processed and collected differently. This means following certain conditions.

These conditions include:

• A not-for-profit body requires the information.
• The data subject makes the data public.
• A legal claim requires the data.
• The data is of substantial public interest.

Secure data protection

There are a number of security measures you can take as an employer to maintain data protection.

These include:

• Doing a GDPR compliance audit.
• Appointing a data protection officer.

Let's explore these measures in more detail.

GDPR compliance audit

In order to see how GDPR compliant your business is, you should conduct a GDPR audit.

An audit will assess which parts of your business aren't following GDPR rules. And reveal the status of your current information security. It will also identify where there is risk of a personal data breach.

A UK GDPR team or third party can conduct the audit. And provide an objective view of your company's data processing. They will also provide guidance on how to improve your company's GDPR compliance.

GDPR audits are not a 'one-off' practice however, and your business should schedule one every year.

Appoint a data protection officer

The role of a data protection officer (DPO) is to make sure that data processing is done in accordance with GDPR.

They are in charge of the decision making behind data safety measures. And must manage legal compliance, as well as liaising with the official authority.

A DPO will advise on how to improve your company's data protection and processing policies. As well as implementing their own organisational measures to keep personal data protected.

They can also answer questions from employees about their processing activities and data security.

Any organisation can hire a DPO, but your company should appoint one if they:

• Are a public authority.
• Carry out large-scale systematic monitoring of individuals.
• Carry out large-scale processing of special category data.

Should a personal data breach occur, a DPO will act without undue delay.

What is a personal data breach?

A personal data breach is an incident that leads to the accidental or unlawful loss of personal data.

This includes the alteration and unauthorised disclosure of personal data. As well as unauthorised access to a person's information.

Under UK GDPR, if a security incident takes place at work, the individual or business needs to establish whether a breach has occurred.

The effect of a personal data breach

Personal data breaches have a negative impact on the natural persons targeted. And can result in many possible adverse effects.

These effects include:

• Loss of physical or non-material damage.
• Emotional distress.
• Identity fraud.

Responding to the breach in a timely manner will mitigate these adverse effects. Especially if you have a breach procedure in place.

Managing a personal data breach

If your company suffers a security incident, don't panic. Instead focus your attention on reducing the adverse effects of the personal data breach.

As an employer, there are a number of steps you need to take.

These include:

• Establishing the facts of the breach.
• Containing the breach.
• Reporting the breach to the Information Commissioner's Office (ICO).
• Conducting a risk assessment.
• Contacting the data subjects affected.

Let's discuss how these steps work in more detail.

Establishing the facts of the breach

If your company receives a personal data breach notification, you should work out what actually happened. This means finding out the who, what, where, why and how.

To work this out, you need to ask the following questions:

• Who does the data breach affect?
• What data does the breach include?
• Where did the personal data breach start?
• Why and how did the personal data breach happen?

You should also consult the data processor and data controller within your business. They will be able to shed light on the cause of the breach. As well as disclosing the personal data records concerned.

The DPO or other contact point at your business should also be aware of the personal data breach. And have a response plan to mitigate the possible adverse effects.

Containing the breach

Next, it's important you contain the personal data breach as much as possible.

This includes:

• Disconnecting from the internet to stop the bleeding of data.
• Disable remote access capability and wireless access points.
• This is most achievable with low-risk data breaches.

For example, if you sent an email with confidential contact details about an individual to the wrong person, you could ask them to delete it.

But, more severe personal data breaches require remedial action.

Reporting the breach to the ICO

The law requires you to report a breach to the ICO.

The ICO is the UK's data protection regulator and supervisory authority for GDPR compliance. They can investigate the incident and determine who is at fault.

The report must include the approximate number of data subjects affected by the breach. As well as the type of data breached.

Ensure you report the incident without undue further delay. The report should be done within 72 hours of the data breach.

Conduct a risk assessment

If your company receives a personal data breach notification, you will need to take remedial action to work out if the breach is low or high-risk.

This means considering the following elements:

• Security: Other systems within your workplace may limit the risk of a personal data breach. For example, a security measure that masks information. Consult your DPO and work out if this is the case. Then you can confirm how serious the risk is.
• The personal data records concerned: Next, you need to establish how sensitive the data is. A data breach containing special category data will have more severe consequences than any other type of data.
• The likely consequences of the breach: Now you have obtained the necessary facts, you can then assess the consequences of the breach. You can manage most minor inconveniences. But you will need to make those involved aware if they are at risk of fraud, physical danger and identity theft.
• Circumstances of the breach: The circumstances of a personal data breach will change the effect it has. Confirming the circumstances of a breach will establish the harm the breach may cause to the data subjects. For example, you know a malicious third party didn't target your business as the data breach was accidental. And therefore, another breach is unlikely to happen.

If you want more information about conducting a risk assessment, check out our guide.

Contact the people affected

Your company may suffer a personal data breach that jeopardizes the rights and freedoms of individuals.

If so, UK GDPR states you should inform them without undue delay. This includes advising them of the immediate risk of the breach.

This will help them take steps to protect themselves from the consequences.

Is it a criminal offence to breach GDPR?

A GDPR breach is a criminal offence.

No matter how well you manage a personal data breach, it is still GDPR infringement. And non-compliance means your business could face criminal action.

Examples of criminal action include:

• GDPR fines.
• Data subjects taking legal action.
• Enforcement action.

Let's explore these examples further.

GDPR fines

The ICO may issue a fine if a business breaches GDPR.

Under the UK law, there are two tiers of administrative fines a business can receive for breaching GDPR.

These are:

• The standard maximum fine: A maximum fine of £8.7 million or 2% of annual global turnover. Usually, whichever is higher.
• The higher maximum fine: The higher maximum amount is £17.5 million. Or 4% of the total annual worldwide turnover in the preceding financial year.

The ICO conducts a discretionary and case-by-case basis when issuing fines.

Data subjects taking legal action

If your business suffers a personal data breach, the data subjects affected may want to take legal action. These subjects may include employees, customers and business partners.

Subsequently, your business may endure reputational damage as a result. And, this could mean more financial loss for your company, if you lose clients and customers as a result.

It may also result in lack of employee trust. Employees may not feel their information is secure due to the personal data breach.

This may increase employee turnover until you implement proper security measures.

Enforcement action

In more severe cases, breaching GDPR could even result in a prison sentence for company directors.

This is typically the case if the business has lost the data due to security weakness. Or, if data has been stolen from an employee within the business.

Get expert advice from Peninsula

As an employer, you should have a safe approach when storing the personal data of your clients, customers and workers. Personal data includes contact details, employment information, or medical records.

Even someone visiting your website can provide you with their information, and you're responsible for keeping that data safe.

If you don't have a safe approach in place, your business may suffer a large data breach, which can mean losing customers, as well as a financial loss from GDPR fines.

Our teams provide 24/7 HR advice which is available 365 days a year. We take care of everything when you work with our HR experts.

Want to find out more? Contact us on 0800 028 2420 and book a free consultation with an HR consultant today.