Data Protection & GDPR Lawyers Liverpool

3.15 BILLION records were exposed in 2016, stemming from many publicized breaches across the financial, business, education, government and healthcare sectors.

Source

• The average global cost per each lost or stolen record containing confidential and sensitive data is around £125.00. The industry with the highest cost per stolen record is healthcare, at around £300.00 per record.
• In 2016, there were around 35% more security incidents detected than in 2015.
• The median number of days that attackers stay dormant within a network before detection is over 200.
• As many as 70% of cyber attacks use a combination of phishing and hacking techniques and involve a secondary victim.
• Around three quarters of Chief Information Security Officers are concerned about employees stealing sensitive company information.
• Only around 40% of global organisations claim they are prepared to handle a sophisticated cyber attack.
• 80% of data breach victims report they had neither a system nor a managed security service in place to ensure they could self-detect data breaches, relying instead on notification from an external party. This was the case despite the fact that self-detected breaches take two weeks to contain from their intrusion date, whereas breaches detected by an external party take an average of around 150 days to contain.

A Data Protection Impact Assessment is also known as Privacy Impact Assessment (PIA). It is a tool with which to ensure compliance with GDPR and enables an organisation to identify and resolve any issues at an early stage to mitigate costs, damage and loss which might otherwise occur.

GDPR mandates that you carry out a DPIA when using new technologies, including web-based applications and where processing the information in respect of this is likely to result in a high risk to the rights and freedoms of individuals.

This could involve things like extensive or systematic activities such as profiling, large scale processing of special categories of data or personal data relating to criminal convictions or offences.  It also includes large levels of personal data at regional and national levels affecting a large number of individuals where there is a high risk to the rights and freedoms of those individuals based on the sensitivity of the processing. This can include widespread and systematic monitoring of public places by CCTV. The Article 29 Working Party, which includes data protection authorities from each EU Member State, has provided guidance on high risk processing and DPIAs and this has been used in regulatory enforcement as well as civil actions.

The GDPR does not set down specific requirements as to how an organisation is to conduct its DPIA. However, it does require a description of the processing operations and the purposes. Where applicable, it should also set down the legitimate interests pursued by the controller.

There are four elements that a DPIA assessment must contain:

• a systematic description of the processing operations and their purposes;
• an assessment of the necessity and proportionality;
• an assessment of the risks; and
• the measures needed to address the risks.

Every organisation is different and therefore will use and control different levels of data. To assist with determining the right type of DPIA process for your business, it is useful to establish what information your business has, and therefore Data Flow Mapping and a Data Inventory are invaluable to develop processes and systems.

Naturally, it follows that not all processes and systems will require the same type of assessment. The type of assessment you require to be conducted is dependent on the type of processing activity being assessed, as well as your business' aims with respect to privacy and data protection compliance.

• As a GDPR Practitioner, we are able to provide you with data mapping and an inventory, and then perform your Data Protection Impact Assessment to suit your business
• We can provide you with ongoing advice on access to and use of sensitive personal data in accordance with GDPR
• We can support and guide you in relation to rules regarding cookies and cookie policies
• Advice and guidance in respect of data sharing, particularly in respect of sensitive data such as medical records online (assessing the risk)
• Data subject access requests (who, where and how?)
• Privacy and Electronic Communications issues
• Privacy policies, i.e. are they worded correctly, are they fit for purpose?
• Social media issues
• Reputational damage
• Guidance on electronic marketing and e-Communications, including supply chains
• Advice when a third party seeks to access the data of one of your customers, and informing you as to what your duties and responsibilities are.

The GDPR sets down two levels of fines:

1) The lower level of fine, up to €10 million or 2% of the company’s global annual turnover, will be considered for infringements listed in Article 83 relating to:

• Integrating data protection ‘by design and by default’
• Records of processing activities
• Cooperation with the supervising authority
• Security of processing data
• Notification of a personal data breach to the supervisory authority
• Communication of a personal data breach to the data subject
• Data Protection Impact Assessment
• Prior consultation
• Designation, position or tasks of the Data Protection Officer
• Certification

2) The higher level of fine, up to €20 million or 4% of the company’s global annual turnover, will be considered for infringements listed in Article 83(5) relating to:

• The basic principle for processing, including conditions for consent, the lawfulness of processing and processing of special categories of personal data
• Rights of the data subject
• Transfer of personal data to a recipient in a third country or an international organisation

Having a policy of cyber liability insurance in no way absolves you from obligations under the GDPR; however, depending on the policy, it may help to some extent. Therefore, we can advise you on insurance information and governance in accordance with policy wording, underwriting advice etc.