Cyber Attacks, Data Hacks, Privacy Breaches
For businesses large and small, privacy breaches can have dire consequences and from 25 May 2018, the new General Data Protection Regulations (GDPR) will sanction fines for breaches of either 4% of your business’s global turnover or up to €20million – whichever is greater. Could your business really cope with such a hit? This could have very serious consequences for your business; our specialist solicitors can help.
We regularly assist businesses of all sizes with data protection and GDPR issues. Our team will not only provide a comprehensive assessment, inventory and mapping of your data and audit your business but support you in all aspects related to data protection. To discuss your specific needs and concerns with an expert practitioner who can help, call us today on 0151 659 1070 or complete our online enquiry form and we will get back to you right away.
Our data protection & GDPR services in Liverpool, Wirral and Merseyside
As a GDPR practitioner, we can provide you with data mapping and an inventory, and then perform your Data Protection Impact Assessment to suit your business. We can:
- Conduct a data audit for your business
- Provide you with ongoing advice on access to and use of sensitive personal data in accordance with GDPR
- Support and guide you in relation to rules regarding cookies and cookie policies
- Advise in respect of data sharing, particularly in respect of sensitive data such as medical records online
- Deal with data subject access requests
- Handle privacy and Electronic Communications issues
- Assess and draft privacy notices
- Advise on social media issues
- Assist with reputational damage
- Provide guidance on electronic marketing and e-Communications, including supply chains
- Advise when a third party seeks to access the data of one of your customers, and informing you as to what your duties and responsibilities are
We can also provide advice on employment issues that concern data protection and the GDPR. This includes but is not limited to, updating employment contracts, updating privacy notices and providing advice on Data Subject Access Requests.
To put our service more simply, we look at your businesses risk profile, taking account of key aspects such as staff, training, systems, business type and third-party interactions. We will then determine the most suitable plan to assess the risk to your business from a legal and regulatory perspective entwined with technical and insurance coverage.
3.15 BILLION records were exposed in 2016, stemming from many publicized breaches across the financial, business, education, government and healthcare sectors.
- The average global cost per each lost or stolen record containing confidential and sensitive data is around £125.00. The industry with the highest cost per stolen record is healthcare, at around £300.00 per record.
- In 2016, there were around 35% more security incidents detected than in 2015.
- The median number of days that attackers stay dormant within a network before detection is over 200.
- As many as 70% of cyber attacks use a combination of phishing and hacking techniques and involve a secondary victim.
- Around three quarters of Chief Information Security Officers are concerned about employees stealing sensitive company information.
- Only around 40% of global organisations claim they are prepared to handle a sophisticated cyber attack.
- 80% of data breach victims report they had neither a system nor a managed security service in place to ensure they could self-detect data breaches, relying instead on notification from an external party. This was the case despite the fact that self-detected breaches take two weeks to contain from their intrusion date, whereas breaches detected by an external party take an average of around 150 days to contain.
So what is happening?
Following a number of high profile breaches: there is now a greater awareness. There are now plenty of IT companies getting on board with this. More and more are developing specialist teams of ‘White Hat’ hackers, who can ‘stress-test’ your systems and check for weaknesses, while insurance companies now offer ‘cyber policies’ for your business to purchase. But with the looming spectre of GDPR on the horizon, you will be required to SHOW that your business is compliant, whether as a data controller or data processor.
Data impact and privacy assessments
We will spend time with your business to go through your requirements to ensure compliance with the regulations. Data protection impact assessments (DPIAs) assist your business to identify the most compliant ways to fulfil its data protection obligations and meet individuals’ expectations of privacy. They are integral to an organisation’s approach to privacy by design. Further, the GDPR sets out those circumstances in which it is mandatory for a DPIA must be carried out.
Data protection & GDPR FAQs
What is a Data Protection Impact Assessment?
A Data Protection Impact Assessment is also known as Privacy Impact Assessment (PIA). It is a tool with which to ensure compliance with GDPR and enables an organisation to identify and resolve any issues at an early stage to mitigate costs, damage and loss which might otherwise occur.
When will my business need to carry out a DPIA?
GDPR mandates that you carry out a DPIA when using new technologies, including web-based applications and where processing the information in respect of this is likely to result in a high risk to the rights and freedoms of individuals.
What Is 'high risk processing?'
This could involve things like extensive or systematic activities such as profiling, large scale processing of special categories of data or personal data relating to criminal convictions or offences. It also includes large levels of personal data at regional and national levels affecting a large number of individuals where there is a high risk to the rights and freedoms of those individuals based on the sensitivity of the processing. This can include widespread and systematic monitoring of public places by CCTV. The Article 29 Working Party, which includes data protection authorities from each EU Member State, has provided guidance on high risk processing and DPIAs and this has been used in regulatory enforcement as well as civil actions.
What information is contained within the DPIA?
The GDPR does not set down specific requirements as to how an organisation is to conduct its DPIA. However, it does require a description of the processing operations and the purposes. Where applicable, it should also set down the legitimate interests pursued by the controller.
There are four elements that a DPIA assessment must contain:
- a systematic description of the processing operations and their purposes;
- an assessment of the necessity and proportionality;
- an assessment of the risks; and
- the measures needed to address the risks.
How can I be certain as to what kind of assessment my business needs?
Every organisation is different and therefore will use and control different levels of data. To assist with determining the right type of DPIA process for your business, it is useful to establish what information your business has, and therefore Data Flow Mapping and a Data Inventory are invaluable to develop processes and systems.
Naturally, it follows that not all processes and systems will require the same type of assessment. The type of assessment you require to be conducted is dependent on the type of processing activity being assessed, as well as your business' aims with respect to privacy and data protection compliance.
What we do:
- As a GDPR Practitioner, we are able to provide you with data mapping and an inventory, and then perform your Data Protection Impact Assessment to suit your business
- We can provide you with ongoing advice on access to and use of sensitive personal data in accordance with GDPR
- We can support and guide you in relation to rules regarding cookies and cookie policies
- Advice and guidance in respect of data sharing, particularly in respect of sensitive data such as medical records online (assessing the risk)
- Data subject access requests (who, where and how?)
- Privacy and Electronic Communications issues
- Privacy policies, i.e. are they worded correctly, are they fit for purpose?
- Social media issues
- Reputational damage
- Guidance on electronic marketing and e-Communications, including supply chains
- Advice when a third party seeks to access the data of one of your customers, and informing you as to what your duties and responsibilities are.
What if there is a breach of the data I hold?
The GDPR sets down two levels of fines:
1) The lower level of fine, up to €10 million or 2% of the company’s global annual turnover, will be considered for infringements listed in Article 83 relating to:
- Integrating data protection ‘by design and by default’
- Records of processing activities
- Cooperation with the supervising authority
- Security of processing data
- Notification of a personal data breach to the supervisory authority
- Communication of a personal data breach to the data subject
- Data Protection Impact Assessment
- Prior consultation
- Designation, position or tasks of the Data Protection Officer
2) The higher level of fine, up to €20 million or 4% of the company’s global annual turnover, will be considered for infringements listed in Article 83(5) relating to:
- The basic principle for processing, including conditions for consent, the lawfulness of processing and processing of special categories of personal data
- Rights of the data subject
- Transfer of personal data to a recipient in a third country or an international organisation
What if my company holds a ‘Cyber Insurance’ policy?
Having a policy of cyber liability insurance in no way absolves you from obligations under the GDPR; however, depending on the policy, it may help to some extent. Therefore, we can advise you on insurance information and governance in accordance with policy wording, underwriting advice etc.
In plain language, this is exactly how our product works. We look at YOUR businesses risk profile, taking account of key aspects such as staff, training, systems, business type and third-party interactions. We will then determine the most suitable plan to assess the risk to your business from a legal and regulatory perspective entwined with technical and insurance-coverage.
Data Protection and GDPR Insights
- Responsibilities of the Processor
- GDPR Article 28 – Processor Requirements
- e-Marketing and Consent
- Marketing Data Consent
- Withdrawing Consent and Right of Erasure
- Right to be Forgotten
- Right to be Forgotten – Record Keeping
- Binding Corporate Rules
- HR Data on the Cloud
- Territorial Scope of GDPR
- Compliance Tools to Support with GDPR Gap Analysis and Audits
- GDPR-compliant Document Handling
- How to Get on Top of Your Data Protection and InfoSec Requirements
- Technical Initiatives to Stay Privacy Safe
- When to Hire a Data Protection Officer
- Data Protection Terms and Definitions
Contact our data protection and GDPR practitioners
Data protection and GDPR compliance is a highly specialised and complex area of law with potentially serious consequences. It is essential that if you have concerns about the information your organisation holds that you contact a team of specialist practitioners to work with you. We make the process as straightforward as possible with minimal disruption to your business. For free initial advice from our team, call today on 0151 659 1070 or complete our online enquiry form and we will get back to you right away.