A story very much in the headlines at the moment is the hacking of Uber’s computer system.
According to Bloomberg, who first broke the news, Uber’s system was hacked in 2016 and Uber paid hackers $100,000 (£75,000) to delete the data they hacked, which apparently included 57 million people’s names, email addresses and mobile phone numbers including details about 600,000 drivers, their names and licence details. Concerns have been raised in relation to Uber’s data protection compliance and some commentators have accused Uber of failing to notify the appropriate authorities in a timely manner.
The Information Commissioner’s Office (ICO) is trying to determine whether the breach affected UK citizens in which case Uber should have notified the ICO.
The new General Data Protection Regulation (GDPR) comes into force in May 2018 and so this news about Uber could not have been timelier. The GDPR will change the way personal data can be handled and will increase the fines that can be imposed for failure to take proper care.
Under the current law there is no general obligation to report data breaches but the ICO recommends that serious breaches be reported without undue delay. Factors to be taken into account when considering if a breach is serious and whether it should be reported include the potential detriment to individuals, the volume and the sensitivity of the data lost, released or corrupted. For now at least, the CO can impose penalties of up to £500,000 when it believes that a breach that should have been reported was not. However, there is the potential for heavier fines in the near future.
Moreover, the GDPR will soon impose a legal obligation to report. Under the new law data breaches that are likely to result in a risk to the rights and freedoms of individuals have to be notified to the relevant authorities without undue delay and where feasible within 72 hours. If the breach is of “high-risk” to individuals’ rights and freedoms then the individuals concerned should also be notified.
Another important change is the significantly increased fines that can be imposed for data breaches. After May 2018 anyone found in breach of the GDPR can face a fine of 2% of their annual worldwide turnover of the previous financial year or 10 million euros, whichever is the higher. Although fines of that scale will be reserved for the most serious of cases.
The Government has confirmed that the GDPR will continue to apply in the UK after Brexit. So, now is the time to review your data protection policies and procedures.
Are you ready for the new data protection regime? Our experienced lawyers can help you review and update your current policies to bring them in line with the new law.
Now is the time to review your data protection policy and relevant procedures. If you have any questions or need assistance, please do not hesitate to contact a member of our Corporate & Commercial team on 0800 042 0700 or email email@example.comFind out more about our Corporate Commercial department