A number of people have asked whether the GDPR (General Data Protection Regulation) applies to data breaches that occurred before 25 May 2018 but were discovered after that date.
The short answer appears to be yes, but, as ever, it’s not entirely clear.
An anonymous European Commission official confirmed that, although the GDPR was not retroactive, it would still apply to historic data breaches discovered after 25 May, telling a press conference the day before the EU’s Digital Day in Brussels in April:
“If you discover the crime the moment it happens, but it started a long time ago, this doesn’t really matter. This is not retroactive application, this is application of the actual case.”
He stressed that the GDPR’s 25 May enforcement date was well known.
“If there is a breach discovered the day after,” he said, “the GDPR will apply.”
However, whether the Information Commissioner’s Office (ICO) shares this interpretation remains to be seen. Dixons Carphone’s latest incident is likely to be a test case. The ICO said on 13 June:
“It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”
New fines for old crimes?
Under the UK Data Protection Act 1998, the ICO had the power to fine non-compliant organisations up to £500,000.
The GDPR changed that, introducing “effective, proportionate and dissuasive” administrative fines of up to 4% of annual global turnover or €20 million (approximately £17.5 million) – whichever is greater.
The Information Commissioner has emphasised that she is proud of the ICO’s reputation as a fair and proportionate regulator, and has robustly denied that she will make early examples of organisations for minor GDPR infringements or regularly dole out maximum fines. (In 2016–17, only 0.09% of cases concluded by the ICO resulted in fines for the organisations involved – this is unlikely to significantly change.)
However, data controllers should not be complacent. The ICO has a number of sanctions to help organisations comply, including warnings and corrective orders.
Moreover, the new law also grants data subjects the right to lodge a complaint with the ICO if they consider that any processing of their personal data infringes the GDPR, and the right to an “effective judicial remedy” against data controllers and processors if their rights have been infringed by processing that does not comply with the Regulation.
If you become aware of a data breach you suffered before 25 May 2018, you risk significant reputational damage.
Mandatory breach reporting
You can’t conceal any breaches you become aware of, either. The GDPR requires data processors to report all breaches of personal data to data controllers, and data controllers to report breaches to the ICO within 72 hours of becoming aware if there is a risk to data subjects’ rights and freedoms.
Data subjects themselves must be notified without undue delay if there is a high risk to their rights and freedoms. (How these levels of risk are to be quantified remains to be seen.)
Average time between breaches occurrence and detection
Data breaches are often discovered long after they occurred. Ponemon Institute’s 2017 Cost of Data Breach Study for the UK found that it takes organisations an average of 191 days to identify a data breach and 66 days to contain it. The longer it takes to identify and contain a breach, the more it costs.
Help with GDPR compliance
The 25 May enforcement date wasn’t a destination; GDPR compliance is an ongoing concern that must be continually reviewed.
Whether you’re still in the early stages of your compliance journey or need help ensuring you maintain your compliance, IT Governance is here to help.
For a limited time only, save 15 % on our recommended solutions for the essential steps you need to take to demonstrate compliance to the GDPR.