Recognise risk of data breach ‘ripple effect’, businesses told

Data protection law expert Laura Gillespie of Pinsent Masons said that message, relayed by the UK Information Commissioner’s Office (ICO), has the potential to translate into the way the ICO undertakes enforcement action in the wake of personal data breach incidents, under UK data protection laws.

According to the ICO, organisations must “do better” to protect people from harm that can arise from data breaches, warning of the “far-reaching ripple effect” that data breaches can have and calling on them to “recognise the critical importance of data protection in safeguarding people’s lives”.

In new guidance it has issued on post-data breach communications with data subjects, the ICO advised organisations to “promptly assess the risks to the individuals involved, including your reporting and notification duties” and “acknowledge what has happened with the person affected by a breach”. Businesses should “be human and accessible” in their response and “commit to making sure it doesn’t happen again”, it added.

The ICO’s new guidance was issued alongside a blog from UK information commissioner, John Edwards, which included the message: “Organisations need to understand that the harm doesn’t end with the breach – that is only where it begins.”

Edwards added: “Data protection has never been about computers or robots – it's about people. The information we are trusted with is not just a set of numbers or details – it reflects individual lives. Yet in figures revealed by the ICO today, we see that 55% of adults have had their data lost or stolen. That is nearly 30 million people. The personal and emotional toll of this is too often overlooked. Alarmingly, 30% of victims report emotional distress, yet 25% receive no support from the organisations responsible. Even more troubling is that 32% of those affected find out through the media rather than from the organisation itself, deepening feelings of betrayal.”

Edwards said the data shows that “too many organisations fail to fully appreciate the harm they cause when they mishandle personal data”.

Gillespie said: “It is clear that the statistics from the ICO serve as an important reminder that organisations should have clear incident response plans in place, to enable them to respond efficiently and effectively to understand the nature of the breach and who is affected by it, and thereby ensure that any communications to individuals are drafted appropriately. In the last quarter’s data security incident trends, 71% of the incidents reported to the ICO were non-cyber incidents, demonstrating that controllers continue to prioritise appropriate organisational measures such as staff training, policies and procedures, as well as embedding a culture which recognises and values the importance of data protection,” Gillespie said.

“The ICO has produced a range of materials which businesses can share with staff to remind them of the real and practical impact, or ‘ripple effect’, that a personal data breach can have.  The ICO is encouraging that communications following a personal data breach have empathy at their heart,” she added.