The Information Commissioner’s Office (ICO) has reported a 22% increase in the number of cases received in the first quarter of this year (April – June 2016) compared to the previous quarter.
Health and local government sectors: data security incidents
The ICO received over 500 cases in the first quarter, of which the health sector accounted for 43%.
Although the NHS makes it mandatory to report incidents, the ICO still noted a 26% increase in the number of data security incidents for the health sector compared with the previous quarter.
Because of the sensitive personal data that the health sector handles, a security incident can lead to “extensive detriment and high levels of distress for the data subjects affected.”
The second most prevalent sector for data security incidents in Q1 2016/17 was local government. Data security incidents increased by 44% in this sector compared with the previous quarter.
Comply with the DPA to avoid fines
Currently, anyone who processes personal information must comply with the eight principles of the DPA, but it can be difficult to know what you have to do.
IT Governance’s DPA Compliance Toolkit contains all the key documents you need in order to ensure compliance.
It includes a number of templates, such as: Data Protection Policy, Fair Processing Notice, guidelines for laptop hard drive encryption and staff induction, and much more.
Coming soon: the GDPR
The EU GDPR (General Data Protection Regulation) will come into force on 25 May 2018, imposing stringent data security requirements on all organisations that process or handle data of EU residents. Any organisation that fails to meet these requirements will be faced with fines of up to 4% of their annual global turnover (NB turnover, not profit) or €20 million – whichever is greater.
Your organisation will likely be investigated by a supervisory authority (which will almost certainly be the ICO in the UK) and you will need to prove that you took appropriate and comprehensive steps to prevent the breach.
Even though the British electorate voted to leave the EU, the GDPR will still be applicable to UK organisations. Until the Brexit negotiations and process are completed following the invocation of Article 50, UK organisations must fully comply with the EU’s laws. Furthermore, the ICO was at the forefront of the GDPR’s development, so it’s very likely that the current UK DPA will be updated to reflect the more rigorous requirements of the GDPR.
To help ensure compliance, we have developed the EU GDPR Documentation Toolkit, which provides all the critical documents your organisation will need to ensure compliance with the new regulations, including documents covering data protection policy, DPO requirements, privacy impact assessments, incident response and breach reporting.