Data is rarely away from the headlines. It’s a far cry from when I started my law degree, in those far off days before the Data Protection Act 1984 began our lawmakers’ ever-increasing focus on rules affecting the handling and processing of data.
While hacking – whether by the NSA or the News of the World – makes better headlines, a recent set of new rules takes us one step closer to a change that will have a much bigger effect on the data handling practices of all UK businesses.
Back in August, new rules requiring notification of personal data breaches within 24 hours came into force. These new rules are set out in an EU Regulation that applies Europe-wide to all providers of publicly available electronic communications services, for example, telecoms companies and internet service providers.
Crucially, although currently sector-specific the new rules are likely to set the tone of any future reforms relating to breach notification for all businesses.
In the event of a personal data breach, providers have a duty to notify the national regulator – which, in the case of the UK, is the Information Commissioner’s Office. But that’s the easy bit: providers may also be required to notify any subscribers or individuals adversely affected by the breach – which will be considerably harder and more expensive.
When and to who?
The most significant change brought about by the Regulation is the duty to notify the competent and relevant national authority no later than 24 hours after the breach is detected.
Where a data breach is likely to adversely affect an individual’s personal data or privacy, providers must also notify those subscribers and individuals of the breach.
Where this notification is necessary it must be made without undue delay following detection of the personal data breach. There is no standard form that providers must use when notifying subscribers or individuals of a breach. However, the Regulation obliges them to use clear and easily understandable language and expressly prohibits providers from using this as an opportunity to promote or advertise new or additional services. Where it is unable to identify all individuals who are likely to be adversely affected by the breach, the provider must notify them through advertisements in major national or regional media – again, without undue delay.
The new deadlines for making breach notifications are the most significant changes imposed by the Regulation. Given the level of detail to be included in a notification, companies would be well advised to have internal procedures in place that allow this information to be gathered (and properly prepared plan of action implemented) within those periods.