Explaining Data Breaches
If you’ve turned on the news today, you’ve almost definitely heard about the Uber data breach/ coverup, affecting tens of millions of customers. In fact, there’s been a huge number of major incidents this year alone - the Yahoo breach, Equifax, American voter records, and the recent leak of a vast collection of US Defence records being just a few of this year’s most notable leaks, affecting billions of people across the world.
Essentially, a data breach involves information that should be private being released publicly, often as the result of a hack, while data can range from email addresses and passwords to financial details, which can leave victims in a hugely difficult position.
Best Practices for Data Breaches
As an individual, there’s unfortunately not a huge amount that you can do to prevent data breaches, though there’s a couple of steps which can help minimize the negative effects.
Firstly, ensure that all passwords you use are unique. When passwords are reused across multiple sites, one site experiencing a data breach which exposes passwords can lead to other accounts being accessible - we’d generally recommend using a password manager. Leading on from that, it’s always worth being on top of how any breached data can be used - we’d recommend reading through the Information Commissioner’s Office (ICO)’s public guides for some useful information and assistance.
How GDPR will affect Data Breaches
In May next year, the storage of personal information by businesses is set to be dramatically shaken up with the introduction of GDPR - General Data Protection Regulation. Designed to update data protection law for the modern day, GDPR locks down a lot of the major problems that can lead to data breaches, and introduces significantly heavier fines for businesses found to be violating the law.
While there’s something of a question as to exactly what changes GDPR will cause, there’s a few clear points to be aware of.
Data consent: A major part of GDPR, this ensures that businesses will need explicit consent to store or use personal data. Definitely one of the more uncertain parts of the act, with most not totally aware of what level of consent they’re required to gain before using data - expect more information over the coming months.
Right to be forgotten: Designed to give individuals more control over how their data can be used, the right to be forgotten allows anyone to request that companies delete personal data related to the requestor, unless there’s a real reason for it being kept, essentially withdrawing consent.
Higher fines: With current data protection laws having been written decades ago, there’s not a significant amount of provisioning for adequate fines - you’ll often see astonishingly small fines for even the most severe issues, with the ICO currently able to fine a maximum of £500,000. With GDPR, this will increase to ~£17 million, or 4% of turnover - so expect companies to be far more proactive in avoiding data breaches.
We’d recommend taking a full look through the ICO’s guide to GDPR for more detailed information. We’re working to ensure that all our systems are fully compliant with GDPR, and will be sending out more updates over the next few months.