Late last year, a motor industry employee was given a six-month prison sentence for accessing thousands of customer records containing personal data without permission, using his colleagues’ log-in details to access a software system that estimates the cost of vehicle repairs.
The UK’s data protection regulator, the Information Commissioner’s Office (ICO), brought the prosecution under the Computer Misuse Act 1990. Most cases are usually prosecuted by the ICO under the Data Protection Act. However, in some cases, it can prosecute under other legislation—in this case section 1 of the Computer Misuse Act — to reflect the nature and extent of the offending and for the sentencing court to have a wider range of penalties available.
In this instance, Mustafa Kasim had accessed the records while employed at Nationwide Accident Repair Services and continued to do so after he started a new job at a different car repair organisation which used the same software system. Kasim pleaded guilty to a charge of securing unauthorised access to personal data between 13 January 2016 and 19 October 2016, at a hearing in September 2018 and was sentenced at Wood Green Crown Court.
Of course, as is well known, the law in this area changed when the General Data Protection Regulation (GDPR) came into force in the UK in May 2018. The GDPR governs how businesses (known as data controllers) handle the personal information of their customers and employees. It significantly strengthens the regulation of data controllers – providing the ICO with powers to impose substantial fines for non-compliance. It also provides individuals with an array of rights which consumers and employees can look to enforce via the courts.
The new law is, in part, intended to force a cultural change in how we think about and protect people’s personal information. It is also intended to bring the law up to date with advances in technology as well as the widespread use of internet-based applications and social media.
There are huge financial penalties available to the ICO for cases of non-compliance – with fines of up to 4% of a company’s annual global turnover for the preceding financial year or the equivalent of around £18 million – whichever is greater.
Some businesses have already adapted their systems and processes for the new law, however, many others will either still be in the process of making the required changes or will not have begun yet. Sadly, some may still be unaware that the law has changed. In any event, it is crucial to ensure that an organisation is compliant with the new law – particularly so that customer and employee data is handled safely and securely – reducing the risk of information being misused and the company’s reputation suffering as a result; the risk of being hit with a substantial fine from the ICO for non-compliance is reduced; and so that the risk of the company being sued by an individual or a group of individuals, who may have been adversely affected by a data breach, is also reduced.
On this it’s worth noting, as the BBC has reported, that supermarket Morrisons has been found vicariously liable for a data breach that saw thousands of its employees’ details posted online. Workers brought a claim against the company after an employee stole the data, including salary and bank details, of nearly 100,000 staff. While he was jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data, the ICO found that Morrisons had not breached data protection law.
For many businesses, ensuring full compliance with the law will be a sizeable task, however, taking the following steps should provide a good starting point:
Audit data processing activities
Firms should consider where, when and how they process personal data. They should map their processing activities so they can identify all types of data processing that the company carries out. They should then seek to ensure that they have a lawful basisfor each type of processing that they are conducting. The lawful bases for processing are: ‘consent’, ‘performance of a contract’, ‘legal obligation’, ‘vital interests’, ‘public interest/exercise of official authority’and ‘legitimate interests’. Whether one of the above applies to any particular type of processing will depend entirely on the circumstances. Additional conditions also apply to any processing of ‘special categories’of data – such as information about a person’s health – which is prohibited unless further conditions are met.
Review contracts/service agreements with ‘data processors’
Data processors are those who process personal data on a someone else’s behalf. A good example of this is where a company outsources its payroll to an external company. In that instance, the external company is a data processor. The law requires data controllers to ensure that they only appoint data processors who have provided sufficient guarantees regarding their GDPR compliance. The law also requires that this relationship be governed by a contract that sets out the parties’ data protection obligations.
Review direct marketing activities
Those that market directly to individuals must ensure that they have a lawful basis in order to use personal data for marketing purposes. An example of this is where firms send marketing emails to a person with their consent. It is not always necessary to have consent before marketing directly to people, however, this will depend upon the specific circumstances. Firms must comply with the GDPR and other legislation including the Privacy and Electronic Communications Regulations (PECR).
Make ‘fair processing information’ is provided
Businesses should ensure that they provide a Privacy Notice to individuals when they first collect their data. The Privacy Notice should explain who the business is, provide its (and the Data Protection Officer’s) contact details, purposes for processing people’s personal data and details of the legal basis upon which the business relies upon for processing the data. It should explain the details of any ‘legitimate interest’that it may rely upon for processing data as well as the details of any third parties that the data may be sent to. Finally, it should also set out the details of any transfer of personal data that might occur to other countries and inform individuals about the rights they have under the GDPR.
Register the business as a data controller with the Information Commissioner
If the business processes personal data, then it should register with the Information Commissioner. For more information, see the Information Commissioner’s website: www.ico.org.uk
Implement policies and procedures to meet GDPR rights
Individuals have numerous rights under the GDPR such as the right of access, the right to rectificationand the right to erasure. If a firm receives such a request from an individual, it will be important for it to ensure that it responds to the request appropriately and within the one-month time limit. Ensuring that it has policies and procedures in place to facilitate the handling of a request is important in order to ensure that the request is handled correctly and in order to be able to actively demonstrate compliance with the law.
Implement appropriate security measures
Businesses should ensure that its systems for processing personal data – both off and on-line are physically secure – utilising appropriate technical and organisational measures. Systems should be tested regularly. It may make sense to use a reputable IT company to test the security and integrity of the firm’s IT systems.
Conduct staff training
The vast majority of data breaches are the result of human error. Ensuring that staff are trained in relation to data protection issues and that the business is able to demonstrate this in the event of a data breach are critical steps towards preventing a breach from occurring in the first place. It may also help in avoiding a financial penalty from the ICO in the event of a breach. Businesses should train all staff and conduct annual refresher training.
Consider whether it is necessary to appoint a Data Protection Officer (DPO)
This is mandatory in some instances – particularly if the business’s core activities consist of regular or systematic large-scale monitoring of individuals. However, even if it is not mandatory, the business may still wish to appoint a DPO in order to ensure that a single person takes responsibility for ensuring compliance. A DPO must be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law. A DPO must also meet certain minimum tasks and responsibilities set out in the GDPR.
Implement an effective system for reporting data breaches
Personal data breaches must be reported to the ICO within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. It is, therefore, important that the firm has an appropriate process in place to promptly analyse a data breach, reach a determination on whether it is mandatory to report the breach, and doing so where it is necessary.
Conduct a Data Protection Impact Assessment when necessary
If a proposed data processing activity is likely to result in a high risk to the rights and freedoms of individuals and where a type of processing utilises new technology, the business must conduct a Data Protection Impact Assessment (DPIA) before it begins that processing. A DPIA is a risk assessment aimed at identifying potential risks in the proposed processing of personal data in order to enable a data controller to address and minimise those risks if it is appropriate to conduct the proposed processing proposed. A DPIA must be documented.
The law is quite clear on what it expects and the punishment that it will mete out if the rules aren’t followed. As recent cases have shown, both individuals and companies alike can face action.
Carl Johnson is a partner and head of regulatory at Stephensons Solici