According to global digital security firm Gemalto, 1,541 data breaches in 2014 led to one billion data records being compromised, representing a four per cent increase in data breaches and a 78 per cent increase in data records that were either stolen or lost compared to 2013.

The findings are contained in the Breach Level Index and according to the report’s authors the UK is ranked as the worst in Europe and the second worst in the world in terms of protecting data from being lost or stolen.

Even taking account of the fact that Brits are more likely to report a data breach than their European or US counterparts, it’s still a significant risk that organisations need to take steps to prevent in the future.

“Every day this year the media has picked up on a reported data breach but the reality is that this is just the tip of an enormous iceberg and there’s no cold comfort available from the fact that some – but not all – data breaches are being reported as the vast majority aren’t, which is a major cause for concern as organisations are storing up trouble for themselves in the future,” warns Martin Hickley, a leading data protection and governance expert who works with organisations in sectors that appear to be more ‘accident prone’ to such situations.

The point is that at present, organisations aren’t compelled to report data breaches. However, under the new EU General Data Protection Regulation (GDPR) they’ll have to report all breaches with the minimum of delay or face significant financial penalties for failure to do so.

The solution is for all organisations – big or small – to carry out what’s known as a Data Protection Impact Assessments (DPIAs) – sometimes also known as Privacy Impact Assessments (PIAs) – so that they are fully aware of the risks they are currently running in personal data processing activities.

“DPIAs are a really excellent way for organisations to quickly identify, understand and address any privacy issues that might arise when developing new products and services or undertaking any other new activities that involve the processing of personal data.

“Here in the UK, the Data Protection Act 1998 doesn’t oblige organisations to conduct DPIAs but the Information Commissioner’s Office (ICO) is on record as making it clear it represents current 'best practice' and has issued guidance on how organisations can get the most from such assessments,” says Hickley.

It’s clear that the GDPR will replace the voluntary nature of such assessments and will undoubtedly lead to a massive surge in the reporting of such breaches across the EU.

Under the GDPR, organisations would have to conduct a DPIA before proceeding with 'risky' personal data processing activities. The European Commission has said it favoured this measure because the indiscriminate notification regime had not always contributed to improving the protection of personal data.

Specifically, the European Commission has said that a DPIA would need to be carried out by data controllers or processors acting on their behalf where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes.

This casts the net very widely and any assessment would need to look into the impact of the envisaged processing operations on the protection of personal data. This can’t any longer be an afterthought but must now move to the centre of any processing activity contemplated involving customers, clients, supporters and the general public.

The Commission outlined a non-exhaustive list of examples of 'risky' processing activities for which a DPIA would need to be conducted.

For example, this would include some automated processing operations and other processing activities that use information about individuals' health or race, large scale video surveillance in public areas, the processing of personal data about children, or using genetic or biometric data, within large scale filing systems.

Under the GDPR, data protection authorities (DPAs) could retain the power to set precise criteria and conditions for processing operations requiring a DPIA as well as the standards and procedures to be adhered to when undertaking such a review.

There’s still a debate taking place between the European Commission, European Parliament and the Council of Ministers that all need to agree a way forward that they can all sign up to.

However, the European Parliament’s view is very clear and is likely to be adopted in the final text of the GDPR – every organisation will have to conduct a risk analysis of their intended personal data processing activities. The analysis would have to look at the potential impact of the processing on individuals' rights and freedoms, and identify whether the processing is likely to present specific risks.

In most cases where such 'specific risks' are identified, organisations would be forced to undertake a more comprehensive DPIA before proceeding with the processing. This would include cases where a business intends to process the personal data of more than 5,000 people in a year.

“Other activities likely to be caught by a compulsory DPIA will include building profiles about individuals, data about children, sensitive personal information, or where there would be large scale automatic monitoring of public areas. In addition, a DPIA would need to be conducted if an organisation's risk analysis found that a data breach incident would likely adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject,” explains Hickley.

Hickley has carried out a large number of DPIAs and has noticed that many organisations are starting to panic as they fear legal action should data breaches require investigation from ICO and other regulatory bodies.

“A DPIA must include a systematic description of the personal data processing activities that the organisation is undertaking as well as what the purposes of the operations are and what legitimate interests if any the organisation is pursuing. Companies should include their own assessment of the necessity and proportionality of the processing and the risks to individuals' rights and freedoms it raises, and the measures they intend to take to address the risks and minimise the volume of personal data which is processed,” advises Hickley.

Other matters that frequently come up in DPIA are an explanation of data privacy and security safeguards and a general indication of the time limits for erasure of the different categories of data to be processed.

In large organisations, the DPIA needs to go much deeper and understand the nature of third party organisations that the company is proposing to share this data with as well as what plans it has to transfer the data overseas.

“Under the proposed GDPR, companies would need to conduct such a review every two years in order to be compliant and such reviews would need to be done by the new breed of Data Protection Officers (DPOs) that report such results directly to the Supervisory Authority,” adds Hickley.

A further worry for companies under the GDPR is that they could be forced to notify individuals if a DPIA indicates that their processing operations present a high risk to their rights and freedoms so as to meet their fair processing disclosure obligations.

Furthermore, businesses would have to consider the results of DPIAs when reviewing whether their personal data processing activities and security measures adhere to the GDPR.

“We’ll have to read the fine print of the GDPR when it’s been approved but it’s likely that companies will be able to go ahead with processing personal data of a 'high risk' nature provided they’ve put in place measures to mitigate the risk of a data breach in the wake of a DPIA that’s been carried out.

“However, DPOs will have powers to set out the type of processing activities that businesses would have to consult them on and would be able to step in where they are of the view that risks have either been insufficiently identified or mitigated, “ says Hickley.

For many organisations conducting a DPIA, it’s the first time their data processing systems have been viewed from a qualitative perspective, adds Hickley.

“Many organisations have built their data processing systems over a period of time and as a result they often find risks that hadn’t been identified before. Under the new GDPR they might be required to suspend processing until they mitigate such risks.”


By Ardi Kolah, Chairman of Law and Marketing Committee for The Marketors. 

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.

comments powered by Disqus