1. Processor Breach

December 19th, 2019

This is the first in a series of articles to help your business through the practical and pragmatic aspects of real-world problems. These articles will assume that the reader has some familiarity with the legislation; what we will try to do is show how the requirements can be applied in practice. The first topic we will address is what to do if you, the data controller, or a data processor working for you, discover a potential or actual data breach. 

4 variants on the following scenario: One of your vendors that processes information for your political party campaign office informs you that they have been compromised and personal data of many thousands of data subjects may have been accessed by an as-yet unknown entity. Your duty in this event depends on several time-critical factors, outlined below. Each variant, in order of increasing severity, will be examined through 4 lenses: Processor Action, Controller Implication, Controller Reaction and To make this scenario less severe, you need to …

Variant 1: Processor Action: Processor informs you immediately of the situation. Controller Implication: Given the number of data subjects affected, and the nature of the information (sensitive), the data controller has no choice but to inform the data protection authority within 72 hours. Controller Reaction: From a practical point of view, the Controller may wish to conduct a rapid investigation to assess the severity of the situation – to avoid unnecessarily contacting the Data Protection Authority of the country/countries in question (in the UK, this would be the Information Commissioner’s Office). To make this scenario less severe, you need to … Review contract(s) with vendor, ensuring that it contains the following elements: Acceptance of liability, Agree and test a protocol of communication between processor and controller – who will inform the Data Protection Authority, and under what circumstances.

Variant 2: Processor Action: Processor informs you of the situation, but only after most of the 72-hour window has passed. They have not told the Data Protection Authority. Controller Implication: Controller is potentially exposed to severe financial penalty from the Data Protection Authority and loss of reputation. The Controller’s Data Protection Officer is put under severe time pressure. Controller Reaction: Ask the Data Processor if they have informed the Data Protection Authority, and if so, when. If they have, see our forthcoming article on Vendor Management. The risk is that decisions taken in haste will be imperfect. To make this scenario less severe, you need to … Review contract(s) with vendor, ensuring that it contains the following elements: Inform data controller as soon as problem discovered, Set up within the processor and the controller a hierarchy of decision-making, so decisions can be taken quickly, even out-of-hours or during Bank Holidays etc. Set up an internal playbook of pre-agreed actions under various scenarios, only to an appropriate level of detail.

Variant 3: Processor Action: Processor informs you of the situation, but only after more than 72 hours have passed since they became aware of the problem. Controller Implication: Controller certainly exposed to punitive action, as is the processor. Controller Reaction: Controller to conduct a rapid investigation to assess the severity of the situation and inform Data Protection Authority. The duration will need to balance the benefits of a longer investigation (more knowledge) versus the downside of an increasing delay before informing the authority and the data subjects (more reputational damage, financial penalty). To make this scenario less severe, you need to … Review contract(s) with vendor, ensuring that it contains the following elements: Develop a relationship with the Data Protection authority and hence an understanding sufficiently strong to get a feel for the appropriate speed/detail trade-off before communication.

Variant 4: Processor Action: Processor does not inform you at all, and you find out because you are contacted by either the data subjects or the Data Protection Authority or another authority, e.g. the Police. Controller Implication: Controller certainly exposed to punitive action, as is the processor. Implications are one or more of: a) Processor not in control of process b) Controller has not put processor under adequate contractual obligations. Controller Reaction: A class action by the data subjects could have much more weight. To make this scenario less severe, you need to… Develop a relationship with the Data Protection Authority and hence an understanding sufficiently strong to get a feel for the appropriate speed/detail trade-off before communication, Review of contracts with processor.