In the last in a series of six articles based on the initial meeting of the Intelliﬂo GDPR Working Group to discuss the ramifications of the GDPR for financial advice firms, Rob Walton considers the question of breach reporting
Breach reporting is perhaps one of the most radical new requirements introduced by the GDPR. Under the GDPR, personal data breaches are defined as following "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
Most importantly, any breach - that meets the threshold of posing a risk to data subjects - will need reporting within 72 hours to the regulator. Where the breach poses a high risk to individuals' rights and freedoms, those individuals must also be notified. In the latter scenario, with the regulator intending to make public any breaches, there is a very real risk of acute embarrassment and severe reputational damage too.
It is important for firms to understand what constitutes a breach - specifically, whether the breach is likely to result in a risk or high risk to the rights and freedoms of individuals. If, for example, an unencrypted laptop or a USB stick containing personal information was lost, then this would qualify as a breach and would need reporting to both the regulator and the individuals. The material risk to the individuals is their data is now in the hands of an unknown, potentially malicious party.
If an encrypted laptop or USB stick - ones that are password protected - were lost or stolen, this does not necessarily qualify as a breach. First, reasonable steps have been taken to protect the machine and, therefore, the data stored on it will be very difficult for the thief/finder of the device to access it as they would also require the password or decryption key.
It is important to consider supply-chain risk when outsourcing too where a firm (data controller) outsources to an external service provider (a data processor) and that service provider itself outsources some aspects of their infrastructure to another service provider (a data sub-processor).
In such a situation where a breach occurs, the data processors need to inform the data controller without undue delay so the data controller can notify the ICO within 72 hours. It is important firms have clear documentation as to what data they use external firms to process.
Intelliflo's Rob Walton on GDPR and financial advice
The working group discussed scenarios which may or may not constitute a breach. The aforementioned case of the files being damaged in a flood or fire in a firm's office would constitute a breach. The data was not kept securely and was effectively lost, impacting the way in which it could be processed and handled by the firm in question.
It was advised that the breach, in such an incident as this, would need to be reported to the regulator and probably the individuals concerned, if there was a high risk to their rights. There is clearly also an effect on the way that their data will be handled by the firm.
Where the data has not been backed up and this was the firm's primary source of data, then this would constitute a breach and would require reporting since there has been a material change to the way in which the firm can process the data - after all, they can no longer process it.
The obvious challenge identified by the working group was the identification of the individuals concerned in the breach. How can these people be identified and contacted? This comes back to the GDPR requirements around how data is held and processed by the firm. It would be unreasonable to assume using a laptop as the only source of data storage would be acceptable. The data should always be backed up.
Another question raised by the working group was identifying when they have experienced a breach. If, for example, someone has gone on holiday for two weeks and their house is burgled after one day of that two weeks, they would not know a laptop or USB, say, had been stolen.
The 72 hours within which a breach needs to be reported begins once the firm is aware a breach has occurred, which may be some time later. It was agreed each situation would turn on its merits and there could be occasions where the firm could not reasonably be expected to know immediately a breach had occurred. It was advised that, if an adviser had been on holiday and found out about the breach later, it would be reasonable to report the breach later as they could not have known at the time.
Where applicable, the reporting should be handled by the firm's data protection officer - if it has one - and they will need to comply with all requests from the regulator in regard to information pertaining to the impact of the breach and what steps were being take to mitigate the effects.
Intelliflo confirmed it is re-contracting with its suppliers to ensure it is notified within 24 hours in the event of a data breach and this will be covered in a contract addendum that will be provided to customers confirming Intelliflo will notify firms as soon as it is aware of a data breach.
Intelliflo advised it would be sensible for firms to have a well-documented process on how they will deal with a breach, understand how they report a breach to the Information Commissioner's Office and potentially have contractual relationships in place so they can draw on third-party expertise, such as a cyber security or data protection specialist, at short notice to help them understand, contain and manage a serious data breach should it occur.
Rob Walton is chief operating officer at Intelliflo
Accountability and governance: Key actions/outcomes
* Where the relevant thresholds are met, a data controller has 72 hours from when the breach has been notified or discovered, to report it to the regulator. Similarly, where the breach is likely to result in a high risk to data subjects' rights and freedoms, they too should be notified.
* Take all reasonable efforts to prevent a breach. Ensure systems are correctly encrypted and that staff are aware of the risks they face.
* Work with the regulator - transparency in such instances will only help. If there are mitigating factors beyond the firm's control, then this may be looked upon favourably in final outcomes.
Accountability and governance: Questions for the wider advice community
* Do you have the processes in place to report breaches to the regulator? Have you considered how these work in practice and how do you envisage handling such instances?
* Do you understand what constitutes a data breach?
* Would you be interested in contracting for a data breach response service whereby a specialist firm would assist you in the event of a breach occurring?
Closing in 2020
Why the flow to passives?
Our weekly heads-up for advisers
Half not told provider about planned changes
Safe finances, safe data, safe clients