A recent decision made by the Data Protection Commission (DPC) in Ireland has given an indication of what “appropriate technical and organisational measures” could look like and re-enforces that having in place a good privacy framework and governance system is the key to demonstrating compliance with data protection legislation.
A good privacy framework should include policies which address data privacy, but businesses should also be undertaking a continuous assessment of risks which are associated with their processing of personal data. If their privacy frameworks or policies are ever called into question, businesses should be able to demonstrate that they react appropriately to those risks, which might include demonstrating that all staff are trained, not just in general data protection compliance but specifically in relation to those risks faced by your business.
The DPC is the Irish supervisory authority for data protection under the General Data Protection Regulation (GDPR). In September 2022, the DPC issued its final decision following an investigation into Ark Life Assurance DAC (Ark).
The DPC started an investigation into Ark after receiving 156 personal breach notifications during the period December 2018 to May 2021. The DPC’s investigation focused on the organisational and technical measures which Ark had in place to ensure the security and accuracy of the personal data involved.
Article 32(1) of GDPR and UK GDPR cover the security of processing personal data and both state that to ensure the security of processing you should take:
“into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
a) the pseudonymisation and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
In its decision, the DPC provided some comfort to businesses by confirming that Article 32 does not require a company “to ensure that zero personal data breaches occur, nor does it impose a strict liability standard on a controller where a personal data breach does occur…” but indicated that, to ensure the level of security is appropriate to the risk, the business should continuously re-evaluate its security in light of the risks posed.
This can be done by undertaking a risk assessment, i.e. you look at the type of data you are processing, the context and purposes of the processing, then you must ensure that the level of security is appropriate to the risk posed to the rights and freedoms afforded to the personal data you are processing.
To establish whether Ark had implemented the correct level of security for the risks posed, the DPC looked at its existing frameworks, policies and procedures and ongoing governance. It also looked at the training covered and training records and, by looking at the data privacy culture as a whole, the DPC was satisfied that Ark had implemented appropriate technical and operational measures.
Whilst this decision was made by the Irish data protection regulator, the circumstances that led to the investigation are not uncommon in the UK. Most of the breaches which were reported to the DPC by Ark were as a result of the disclosure of personal data due to errors in the address for postal and email correspondence.
So far this year, the UK’s data protection regulator, the Information Commissioner Office (ICO), has received 750 reports of personal data which have been emailed to the incorrect recipient, and 181 reports of personal data which have been posted to the incorrect recipient. The personal data breaches that have been reported to the ICO which relate to personal data having been emailed to an incorrect recipient constituted 18% of the total reports made. It is clear therefore that the types of breaches which prompted the DPC’s investigation into Ark are not uncommon.
Key to Ark being able to satisfy the DPC that it had in place appropriate technical and operational measures was Ark evidencing that it had in place a training and awareness programme, and that enhanced training had been delivered to specifically address the identified root causes of those breaches. Ark had also been able to evidence that it had created specific guidance containing information on how to minimise the risks of breaching the data protection legislation
Establishing a good data protection regime with relevant polices, guidance and training is the key to evidencing that your business takes data protection seriously, and if your business is experiencing repetition and/or a build-up of personal data breaches, you should be able to demonstrate that you have considered and addressed the risks with the aim of preventing recurrence. All staff should undergo regular training and further enhanced training in those areas which are most susceptible to personal data breaches.
If you or your organisation have any queries on how to establish a compliant data privacy culture or would like to discuss bespoke training to tie into your existing frameworks, please contact Eleanore Beard in our Data Protection team.
