By Patrick O’Kane
Barrister and Data Protection Officer
Saying sorry is fashionable these days. From philandering politicians to incompetent CEOs, it is often the norm to confess all when you throw yourself at the mercy of the public. Back in the Nixon era, politicians and titans of industry often kept their heads down and hoped it would all blow over. Often it did. No longer. We now live in the Age of Accountability. And there are new rules in place around ‘fessing up when you lose customer data.
As a barrister and Data Protection Officer for a Fortune 500 company, I have been advising businesses on these new rules.
Facebook have just come clean about the fact that up to 50 million Facebook accounts may have been accessed illegally by hackers. They have ‘fessed up to the 50 million users involved.
We can lose customer information in all sorts of ways; from leaving a laptop on a train, to emailing customer spreadsheets to the wrong address, from having your customer website hacked to your having your IT systems fail. These losses of information are known as “data breaches”.
Remember the EU General Data Protection Regulation (‘GDPR’) that you kept hearing so much about earlier this year? It applies to companies in the EU and companies outside the EU that sell to EU residents. Under GDPR there are new rules about when and how you must come clean when you lose customer information. If you break these rules, by not reporting such a breach or not reporting it quickly enough then you could be in line for a major fine. The maximum fine for not reporting a data breach is an ulcer-inducing 2% of global annual turnover or $11.44 million.
My 3 tips for your business are:
- You do not have to report all data breaches – There is a myth that any time any customer information is lost that the business must tell regulators and the people involved. Only more serious breaches must be reported.
- Sometimes you must tell regulators within 3 days of it happening – Contacting regulators is never fun. Especially when you must tell them about something that you have done wrong. Under GDPR we do have to tell EU regulators about data breaches that are likely to result in a “risk” to people and their data protection rights. For example, losing details about a customer’s breakfast order is not going to cause any risk. Losing a customer’s financial or medical records is likely to cause such risk. The challenge is that such a breach must be reported within 72 hours.
- Sometimes we must tell our customers when we have lost their data – If a data breach is likely to result in a high risk to the customers themselves then we have to ‘fess up to them directly. If a company loses details about a movie I watched online last night then it won’t cause a high risk to me. If they lose my credit card number then it probably would cause me a high risk and they should tell me. These breaches must be reported to customers “without undue delay”.
The last thing your company needs is to get hit with a fine for not reporting a data breach. Don’t turn a disaster into a catastrophe; Make changes within your company today to stay on the right side of these rules.
Patrick O’Kane is a barrister and Data Protection Officer for a US Fortune 500 company and the author of GDPR: fix it fast.