With GDPR now in force you will need to move quickly. We know that even the best of plans can go wrong. Any company – large or small – can have a data breach. When this happens it is important to get good advice quickly. We have helped deal with dozens of data breaches in the last three years. We have helped companies in different sectors, including health and financial services. Our experience tells us that you are likely to need help in 4 main areas:-
- Investigate
- Assess
- Remediate
- Mitigate
Investigate
Our lawyers are used to investigating data breaches. We know about most kinds of technology so there is less chance that you will need to spend precious time explaining the breach to us. We are used to dealing with hard copy breaches too, like lost files or diaries. We structure our investigations under legal standards of confidentiality and privilege. There is more information on our investigations practice and the countries we have worked in here:- http://www.corderycompliance.com/internal-investigations/.
Assess
It is important that you know the consequences as soon as possible. You will likely want to brief your board at a very early stage and they will want to know what is likely to happen. Whilst there is much talk of fines of 4% of annual revenue or €20m under GDPR, it is not that simple. Different breaches attract different levels of fines. Regulators also have a discretion and you might want to persuade them to exercise that discretion in your favour.
Data protection regulators might not be your only concern. Depending on what you do you might have a duty to report to other regulators as well – some of those regulators operate on even tighter time limits than the 72 hours under GDPR.
We have done a lot of work on assessing the likely levels of fines under GDPR. In addition, we can help assess:-
- What your customers’ reaction might be.
- Whether there is a potential for civil liability, for example with the enhanced ability of individuals to start proceedings for data protection infringements.
- What the potential press reaction might be.
- What the consequences for individuals within your business could be.
We deliver our advice quickly in a way that your management can understand.
Remediate
It is important to do what you can to minimise the effects of a breach quickly. Putting remedial measures in place quickly might also help you mitigate the affects of the breach. We will help you put remedial measures in place which could include:-
- Quick reactive training to ensure that the same mistakes are not made again.
- A programme of victim outreach to help lessen or eliminate harm. This might include FAQs for call handlers or directly engaging with victims or their lawyers on your behalf. It might also include helping you respond to Subject Access Requests which we have found increase after an incident.
- New policies and procedures to make sure that the same thing does not happen again.
- Holding vendors to account if they have been responsible for the breach.
Since we’ve handled many data breaches, we’ve lots of knowledge on remediation that works and the types of remediation plan a regulator would expect to see.
Mitigate
Even under GDPR regulators have a discretion on the action they take – or whether they take any action at all. Regulatory penalties range from a non-public admonition to 4% of global revenue or €20m. We have studied regulatory findings and we know in any given scenario what a regulator is likely to find important. In some countries a DPA will inform the organisation concerned of its plan to impose a penalty (for example) by issuing a so-called Notice of Intent. The organisation then has the possibility of making representations about the imposition and level of the penalty. Making properly considered, well presented representations to the regulator will be crucial. We can help. We will also help liaise with regulators in different countries and in local language where required. Sometimes there will still be regulatory findings that you do not agree with. In some respects the GDPR fining mechanism is based on the EU’s competition law regime. Our team has experience of handling appeals under that regime. In many cases successful challenges have been brought to the courts in Europe against regulatory fines and the indications are that appeals against GDPR fines might follow the same path. The success rate on appeals against GDPR fines has been high so far. We can help you assess whether your outcome is reasonable and what your options are if it is not.
Help is here
At Cordery, we’ve many ways of helping manage a data breach including:
- specialist advice from lawyers in our data security team.
- our 6 minute film with help and tips on dealing with a breach https://www.corderycompliance.com/dealing-with-a-data-breach/
- Cordery Breach Navigator – our unique and comprehensive management tool https://www.corderycompliance.com/lexisnexis-launches-cordery-breach-navigator/