GDPR Data Security and Breaches 10 December 2019 Newcastle | Leeds - - PowerPoint PPT Presentation

Newcastle | Leeds | Manchester

10 December 2019

GDPR – Data Security and Breaches

Newcastle | Leeds | Manchester

• Technical and Organisational Security
• Handling data breaches
• Case law

What we will look at today

2

Newcastle | Leeds | Manchester

Elizabeth Denham (Information Commissioner) "cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under the law, but because they have a duty to their customers”. Data security?

3

Newcastle | Leeds | Manchester

• Legal obligations
• Reputation and goodwill
• Fines and enforcement
• Other data protection liabilities
• Compensation
• Criminal penalties
• Vicarious liability

Why does data protection matter?

4

Newcastle | Leeds | Manchester

Reported Personal Data Breaches in 2018

5

Newcastle | Leeds | Manchester 6

Newcastle | Leeds | Manchester

Types of Cyber Security Breach

7

Newcastle | Leeds | Manchester

Data Security

Newcastle | Leeds | Manchester

• GDPR obligation
• Personal data shall be processed in a manner that ensures appropriate security of the

personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or

• rganisational measures (integrity and confidentiality)
• Security should be appropriate to likelihood and severity of risks
• Failure to keep data secure leads to personal data breaches

What do we mean by the term data security?

9

Newcastle | Leeds | Manchester

• GDPR requires;-
• Controllers to ensure a level of security appropriate to risk
• Risk analysis
• Proportionality test

The requirement to use technical and organisational measures….

10

Newcastle | Leeds | Manchester

• Confidentiality/Integrity/Availability
• Confidentiality
• Processed by those authorised to do so (and act within that authority)
• Integrity
• Accurate and complete
• Availability
• Accessible and usable

What is risk?

11

Newcastle | Leeds | Manchester

• Analyse risk by looking at your security aims:
• Managing security risk
• Protecting personal data (against cyber attack)
• Detecting security events
• Minimising the impact

Security Aims (ICO and NCSC)

12

Newcastle | Leeds | Manchester

• GDPR encourages a risk based approach to compliance
• Need to identify high risks
• Classify information from risk perspective
• Identify and locate sensitive data and mark it
• Develop and maintain a risk register
• Describe/rate risks
• Risk management

Identify Key Risks

13

Newcastle | Leeds | Manchester

Identify Key Risks

14

1 2 3 4 5 1 2 3 4 5 Likelihood of risk Impact of risk

Newcastle | Leeds | Manchester

• You are aware individuals are conducting work business on private email accounts
• You have premises with swipe card access but are aware cabinets containing HR records

are not locked

• HR have received only standard GDPR training
• HR data stored in bespoke software system which IT department maintains itself
• HR holiday and sickness forms are still manual (i.e. paper based)

Rate the risks – HR Team

15

Newcastle | Leeds | Manchester

• What are the biggest risks in your organisation?

Identify Key Risks

16

Newcastle | Leeds | Manchester

• What does appropriate mean?
• What measures are appropriate?
• What factors should take into account?
• Record measures you take

What are appropriate measures?

17

Newcastle | Leeds | Manchester

• Appropriate to achieve the intended purpose
• Appropriateness linked to effectiveness
• i.e. measure is appropriate to implement data security effectively
• Ensure any safeguards operate through the project lifecycle

Appropriate measures

18

Newcastle | Leeds | Manchester

• Take into account
• State of the art
• Cost
• Nature, scope, context and purposes of processing
• Likelihood and severity of risks

Appropriate measures: Factors to take into account

19

Newcastle | Leeds | Manchester

What do we mean by “organisational security”?

20

Newcastle | Leeds | Manchester

• Governance
• Contracts and data sharing
• Training and awareness

What do we mean by “organisational security”?

21

Newcastle | Leeds | Manchester

• Management structures
• Policies, procedures and documentation
• Compliance and assurance
• Identify and manage risks
• Use of data protection impact assessments
• Data protection by design and default

What is “Governance”?

22

Newcastle | Leeds | Manchester

• Appointment of senior officer/director
• Executive level
• Responsibility for reporting data protection issues to executive
• DPO/senior data protection manager
• Supporting roles
• IAO/DP Champions etc
• Information security/information governance group
• Accountability
• Ensure evidence exists of roles and responsibilities

Management Structures

23

Newcastle | Leeds | Manchester

• Art 24 GDPR
• Obligation to implement appropriate measures to ensure and demonstrate compliance

(accountability)

• Includes implementation of appropriate data protection policies
• Ensure clear endorsement of policies by board/ executive
• Policies should indicate how risks assessed and escalated

Policies, Procedures and Documentation

24

Newcastle | Leeds | Manchester

• What policies do you have?

Policies and Procedures

25

Newcastle | Leeds | Manchester

• What policies do you have?
• Do you have:-
• A complaint policy?
• A data security policy?
• A security breach policy/protocol?
• A training and awareness policy?
• IT Use Policy/BYOD policy?
• Physical security policy
• Remote working policy?
• Data retention policy

Policies and Procedures

26

Newcastle | Leeds | Manchester

• You need to keep a full set of documentation to demonstrate your commitment to

accountability

• Processing record (Article 30)
• Date breach log (Article 33(5))
• Fair processing record (Article 5(1)(a) and 5 (1)(b))
• Date protection impact assessments (Article 35)
• Contracts (Article 28)
• Record of data sharing agreements
• Record of consent (Article 7(1))
• Risk register

Documentation (1)

27

Newcastle | Leeds | Manchester

• Information required for processing special category or criminal conviction and offence

data

• Policies and procedures
• General obligation to have a data protection policy (Article 24(2))
• Data minimisation policy (Article 5(1)(c))
• Data accuracy policy (Article 5(1)(d))
• Data retention policy (Article 5(1)(e))
• Data security policy (Article 5(1)(f))
• Ability to demonstrate compliance

Documentation (2)

28

Newcastle | Leeds | Manchester

• Data protection audit – mapping, document analysis and risk identification
• Part of compliance with Art 24 but also:-
• Deal with changes to processing presented by GDPR
• Ensure accountability principle is satisfied
• Reduce risk of data protection breaches occurring
• Minimise consequences of data breaches
• Reduce risk of being fined if breach occurs and restrict the amount of fine if one is

levied

• Rate your risks

Compliance and Assurance

29

Newcastle | Leeds | Manchester

• Part of accountability principle
• General obligation to show you have considered and integrated data protection

considerations into processing activities from the start

• Benefits
• Identify and address privacy problems at an early stage (save cost)
• Raise awareness of privacy and data protection
• More likely to meet and exceed legal obligations/less likely to breach GDPR
• Actions less likely to be privacy intrusive

Organisational security – data protection by design and default

30

Newcastle | Leeds | Manchester

• Take into account
• Cost
• Nature, scope, context and purposes of processing
• Likelihood and severity of risks arising from processing
• Implement appropriate technical and organisational measures to implement the data

protection principles

• Integrate safeguards into processing/throughout project lifecycle
• Privacy embedded
• Privacy integral to design without diminished functionality

Organisational security – Data protection by design

31

Newcastle | Leeds | Manchester

• Implement appropriate technical and organisational measures by default
• Only personal data processed when necessary for a specific purpose
• Data protection by default to be considered
• When collect personal data
• Extent of processing
• Period of storage
• Accessibility

Organisational security - Data protection by default

32

Newcastle | Leeds | Manchester

• An assessment of processing operations to identify privacy impacts and implications
• Review processing operations
• Analyse purpose of processing
• Assess risk
• Find ways to minimise risk
• Mandatory for high risk projects that started after 25 May 2018
• Consult with ICO/supervisory authority where DPIA identifies risk cannot be managed and

remains high

Organisational security - Data protection impact assessments

33

Newcastle | Leeds | Manchester

• Carry out due diligence on processors and those you share data with
• Consider nature of processing and risks
• Contracts-
• Processors – need “sufficient guarantees” to appoint:-
• To comply with GDPR
• Protect data subject rights
• Expert knowledge, resources and reliability
• Data sharing (i.e. controller to controller transfers):-
• Where share personal data carry out due diligence on sharing partner

What do we need to consider with contracts and data sharing?

34

Newcastle | Leeds | Manchester

• What do we mean by due diligence?

What do we mean by due diligence?

35

Newcastle | Leeds | Manchester

• What do we mean by due diligence?
• Compliance with industry standards
• Level of technical expertise
• Check accreditations/references
• Check GDPR compliance – compliance audit/documentation/breaches?
• If work performed off site, check site
• Assessment of security procedures
• Adherence to code of conduct/certification scheme

What do we mean by due diligence?

36

Newcastle | Leeds | Manchester

• Contract with controllers
• Article 28 clauses/other clauses
• Contracts with data sharing partners
• Controller – controller transfers not covered by Article 28
• Ensure data sharing partner contractually bound to:-
• Comply with data protection legislation
• Use data for specific purpose only
• Keep personal data secure
• Report breaches

What contract terms do we need?

37

Newcastle | Leeds | Manchester

• Raising awareness
• Training
• Accountability and training and awareness

Do we need to perform training and awareness raising activities?

38

Newcastle | Leeds | Manchester

• Raising awareness
• Training
• Training strategy
• When to train (on induction and annual refresher)
• Training needs analysis
• Specialist training
• Temporary and agency worker training
• Accountability and training
• Training record
• Use of KPIs

Do we need to perform training and awareness raising activities?

39

Newcastle | Leeds | Manchester

• 72% UK employees have taken corporate data out of their organisation
• 70% have plans to take data if were to resign or lose job
• 59% believed data was theirs to take
• 62% theft carried out by staff in IT or customer services department
• 54% accessed data outside their explicit permissions

Organisational Security – The Enemy Within – Imperva Survey

40

Newcastle | Leeds | Manchester

• Paralegal fined for taking sensitive information of over 100 people
• Moved law firm and took workload lists, file notes and template documents containing

personal data

• Prosecuted under s55 DPA (equivalent to s170 DPA 2018):

“Stealing personal information is a crime….employees may think work related documents that they have produced or worked on belong to them and so are entitled to take them when they

• leave. But if they include people’s details, then taking them without permission is breaking

the law”

ICO Head of Enforcement – Stephen Eckersly

James Pickles – theft of data

41

Newcastle | Leeds | Manchester

• Information risk management
• Home and mobile working
• User education awareness
• Incident management
• Managing user privilege
• Removable media controls
• Monitoring
• Secure configuration
• Malware protection
• Network security

10 Steps to Cyber Security

42

Newcastle | Leeds | Manchester

• What does technical security consist of?

What do we mean by “technical security”?

43

Newcastle | Leeds | Manchester

• Technical controls framework
• Secure configuration
• Patch and software version management Up to date malware protection
• Manage & monitor your network
• Access rights
• Default settings/passwords
• Encryption/pseudonymisation
• User education
• Data minimisation
• Using contractors
• Incident management

What do we mean by “technical security”?

44

Newcastle | Leeds | Manchester

• Technical controls framework
• E.g. cyber essentials
• Secure configuration
• Set up and configure software for your needs
• Patch and software version management
• Increased vulnerability over time
• Software update policy
• What to do with unsupported software
• Responsibility for updates

What do we mean by “technical security”?

45

Newcastle | Leeds | Manchester

• Up to date malware protection
• Manage & monitor your network
• Periodic testing/assessment/evaluation
• Access rights
• Concept of “least privilege”
• Default settings/passwords
• Password protection
• Encryption/pseudonymisation

What do we mean by “technical security” (2)?

46

Newcastle | Leeds | Manchester

• User education and awareness
• Train staff on data security/cyber awareness
• Minimise data
• Using IT contractors - ISO 27001/other standards/testimonials and other due diligence
• Incident management
• Availability/resilience
• Back up data
• Ability to restore access

What do we mean by technical security? (3)

47

Newcastle | Leeds | Manchester

Personal Data Breaches

Newcastle | Leeds | Manchester

• NB Not all breaches of GDPR are personal data breaches. Not all fines will be for

personal data breaches

• ICO particularly concerned with personal data breaches-
• “personal data breach means a breach of security leading to the accidental or unlawful

destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed” - Article 4(12)

• Types of breach
• Confidentiality/Integrity/Availability breach

What is a data security breach?

49

Newcastle | Leeds | Manchester

• Contain
• Assess
• Notify
• Review

How to deal with security breaches

50

Newcastle | Leeds | Manchester

• Controller must be able to identify security breaches (Article 87)
• Have a security breach checklist
• Immediate containment
• Who needs to know?

Contain: Initial Action

51

Newcastle | Leeds | Manchester

• Need to assess to understand risks presented by breach
• Investigation team
• Produce investigation report
• Gather information on:
• Type of personal data
• Volume
• Likelihood and severity of risk
• Circumstances of breach

Assess

52

Newcastle | Leeds | Manchester

• Notify without undue delay and where feasible within 72 hours of becoming aware
• Unless the breach is unlikely to result in a risk to the rights and freedoms of natural

persons

• When do you “become aware”?
• If not notified within 72 hours must include reason for delay in notification to supervisory

authority

• Must document the breach to enable supervisory authority to verify compliance
• Failure to notify is a breach

Notify: When must we notify personal data breaches to the ICO

53

Newcastle | Leeds | Manchester

• Notify unless breach unlikely to result in risk
• Need to assess risk
• Types of risk
• Physical
• Material/non-material damage
• Risks include:
• Loss of control/ limitation of rights/ discrimination/ identity theft or fraud/ financial loss/

unauthorised reversal of pseudonymisation/ damage to reputation/ loss of confidentiality

Is there guidance on what breaches must be notified to ICO?

54

Newcastle | Leeds | Manchester

• Notify individuals where there is a high risk to rights and freedoms of individuals
• Where personal data breach results in high risk, must communicate breach without

undue delay

• What is a high risk?
• Where breach may lead to physical, material or non-material damage
• Loss or disclosure of special category and criminal data – likely to be high risk

You have to notify individuals of breaches in some circumstances…

55

Newcastle | Leeds | Manchester

How do we decide if a breach is a risk or a high risk? (1)

56

• What is the difference between a risk and a high risk?
• Likelihood and potential severity
• Type of breach
• Nature, sensitivity and volume of data/numbers affected
• Other circumstances
• Ease of identification – pseudonymisation?
• Severity of consequences
• E.g. discrimination, identity theft, physical harm, fraud, financial loss, damage

to reputation

• Intentions of recipient of data
• special characteristics of individual/controller

Newcastle | Leeds | Manchester

How do we decide if a breach is a risk or a high risk? (2)

57

• What protections are in place to minimise the risk of damage and to mitigate ongoing

impact?

• Is information encrypted/pseudonymised?
• Was it already publicly available?

Newcastle | Leeds | Manchester

Risk or a high risk?

58

• USB lost containing patient data. It is password protected
• Letter containing notice of substantial pay award sent to wrong address (what if it includes

individual’s bank account details?)

• Email sent to wrong person asking for repayment of substantial debt owed to the company
• CCTV data showing individuals at work doing unusual activities circulated round work for

amusement

• HR database access rights incorrectly set so that everyone has access although no

evidence inappropriate access occurred

• Papers containing salary details of all senior staff left on the printer in the office and read

by other staff

Newcastle | Leeds | Manchester

• Regulator
• Insurer
• Stakeholder
• Employees
• Police
• Media

Other Notifications

59

Newcastle | Leeds | Manchester

• Look at:
• Security review to work out what happened
• Consider other breaches suffered – check for similarities
• Prevention plan (i.e. a plan to prevent future breaches)
• Audits to enforce the prevention plan
• Review policies and procedures
• Review employee tasks and training
• Review should strengthen security and reduce reoccurrence

Review

60

Newcastle | Leeds | Manchester

• You have two employees with the same name. A disciplinary notice is sent to the wrong

employee.

• A customer informs you that your privacy notice does not comply with the requirements

set out in the GDPR; you review the privacy policy and conclude she is correct.

• An employee has a disciplinary hearing. In that hearing he is asked not to record the

meeting but does so anyway and you later find out that a recording of the meeting exists.

• A hospital emails out a record of disabled patients who require assistance with transport to

those patients. The email is meant to be sent "bcc" but is instead sent "cc“.

• A cyber attack leaves you unable to access your systems for 12 hours. Although no data

is stolen you were unable to complete customer transactions for that period.

To notify or not to notify – that is the question

61

Newcastle | Leeds | Manchester

• Investigatory powers
• Right to audit
• Order provision of information
• Access personal data held
• Access premises and equipment
• Enforcement powers
• Administration fines
• Fines for personal data breaches and other fines
• compensation

Fines, Compensation and other Remedies

62

Newcastle | Leeds | Manchester

• Compensation claims
• Material and non-material damage
• Court action required if organisation won’t voluntarily pay compensation
• Joint liability for compensation claims between controller and processor

Compensation Claims

63

Newcastle | Leeds | Manchester

• Requirement to follow pre-action protocol before claim brought
• Exchange sufficient information to: understand each others position / decide how to

proceed / settle issue / consider ADR / support efficient management of proceedings / reduce cost of resolving dispute

• Claim letter detailing claim
• Defendant response within reasonable time
• Disclosure of key documents to each other
• Award of costs?
• ICO input
• If you make complaint ICO will investigate and take action if it considers there has

been a breach of data protection law.

Compensation Claims continued

64

Newcastle | Leeds | Manchester

Case law

Newcastle | Leeds | Manchester

• Fine of €460,000 for insufficient internal security on patient records
• Celebrity patient file viewed by over 197 hospital staff
• Dutch DPA reviewed security measures for compliance with:-
• Article 32
• Specific health sector security standards
• No alert to administrators if someone viewed a file they weren’t entitled to view
• Inadequate control of access logs – should be “systematic, risk-orientated or intelligent

control”

• Lack of two-factor authentication
• If no improvement in security by 2 October the Dutch authority required payment of an

extra €100,000 a week up to maximum of €300,000

Case 1 – Haga Hospital - Netherlands

66

Newcastle | Leeds | Manchester

• Fine of €250,000
• To combat piracy La Liga used app to collect data without consent
• App covertly collected audio and location data – it detected bars where La Liga

matches were on but not paying the fee.

• App got consent to activate microphone on the mobile (so it could detect sounds of

football) but didn’t tell users why it did this - consent not specific and therefore inadequate

• Privacy notice inadequate
• Didn’t give users ability to withdraw consent

Case 2 – La Liga - Spain

67

Newcastle | Leeds | Manchester

• Fine of 1.5m DKK (€200,800)
• Failure to delete data about 385,000 customers
• Fine followed supervisory visit and audit question regarding deadlines for deletion of

customer data

• ID Design ran two separate customer systems. Data in the old system had never been
• deleted. It included names, addresses, telephone number, email addresses and purchase
• history. No deadline had been set for deletion from the old system
• Danish DPA concluded there was a breach of principle 5 (keep only as long as necessary)

Case 3 – ID Design - Denmark

68

Newcastle | Leeds | Manchester

• Fine of 1.2m DKK (€160.754)
• Retention of data for too long
• Taxa deleted customer names and addresses after 2 year but kept phone numbers for

further 3 years

• Taxa argued telephone numbers an essential part of its IT system and couldn’t be deleted

as quickly

• Danish DPA said a failure in the IT system can’t justify a serious breach of data protection

laws (data minimisation)

Case 4 – Taxa 4x35 - Denmark

69

Newcastle | Leeds | Manchester

• Proposed fine of £183.39m
• Cyber attack led to user traffic to BA website being diverted to fraudulent site
• 500,000 customer details compromised including payment card, name and address
• Breach due to poor security arrangements
• Known vulnerability which had not been updated since 2012.

Case 5 – British Airways - UK

70

Newcastle | Leeds | Manchester

• Proposal to fine £99,200,396
• Cyber incident lead to 7m guest records in UK disclosed (30m in EU and 339m worldwide)
• Vulnerability arose out of acquisition of Starwood hotels group.
• Starwood systems compromised in 2014, bought by Marriott in 2016, discovered 2018
• Marriott failed to undertake adequate due diligence on the corporate acquisition – should

have done more to secure systems

Case 6 – Marriott Hotels - UK

71

Newcastle | Leeds | Manchester

• Relates to request for damages against a social network provider for its removal of a post

by that individual.

• The right to compensation under GDPR does not apply to intangible trivial damage
• Includes ‘perceived discomfort or minor trivialities’ and no ‘serious impairment to a

person’s self image or reputation.

• Court stated that the right to compensation under GDPR could be absurd if cases of minor

damage can trigger claims for compensation.

Case 7 – Beschl - Germany

72

Newcastle | Leeds | Manchester

• Security breach of website platform hosting political party websites (including 5 star)
• Following breach in 2017 platform required to implement various security measures
• Platform failed to do so
• Fine of €50,000

Case 8 – Rousseaum – Italy (1)

73

Newcastle | Leeds | Manchester

• Security measures required:
• Vulnerability assessment to be periodically repeated
• Old software no longer updated – patching was complicated and time consuming
• Password system to be strengthened
• Secure protocol and digital certificate to protect data during transfer
• Solution regarding storage of passwords
• Auditing measures to keep record of access and operations completed in the database
• To guarantee integrity of data

Case 8 – Rousseau – Italy (2)

74

Newcastle | Leeds | Manchester 75

wardhadaway.com @WardHadaway Ward Hadaway Newcastle | Leeds | Manchester