DO CHICKEN BITES HURT? A Proverbial Approach to Data Breaches

By Chaka Henderson

I know, you are probably thinking that this Data Protection Practitioner has now completely and thoroughly lost the plot!

Why, oh why, would we be looking at an image of a rooster in a Data Protection article? Surely all the basic training one gets on Data Protection and the UK-GDPR states that Data Protection relates to the natural person, also known as, living human beings?

Well, yes! GDPR and the Data Protection Act 2018 are concerned about the protection of living individuals’ data. For today’s write-up however, I thought I would delve into my African heritage and share some wisdom gleaned from an ancient proverb.

“In order to get back something of value, that is being carried off by a determined chicken in its beak, one needs to take a calm and gentle approach throughout the entire endeavour.”

I hear you saying, ‘Okay, I’m still not sure what this has to do with a serious subject such as GDPR/Data Protection?!’

Perhaps some background will help. In February this year, the Information Commissioner’s Office (ICO) fined the Ministry of Defence (MOD) ￡350,000 for a data breach. The breach involved the MOD sending out bulk emails without taking appropriate steps, such as using the 'bcc function or mail merge, to protect individuals’ email addresses.

This incident might sound familiar and I’m sure, will be recognisable to many of us.

A few things struck me about the report on the MOD data breach.

Firstly, from my knowledge of how things work at a policy and strategic level, the ICO do not easily fine public sector organisations.

Secondly, on reading the summary of the case, I thought that ￡350,000 didn’t sound like a particularly large fine.? It was only when I read through the finer details that I realised what had happened.?

The MOD had applied the ‘African proverb’ in their handling of the “charge” and fine. The fine was smaller than because it had been reduced.

The original fine with which the MOD had been slapped was a whopping ￡1,000 000. However, the MOD subsequently highlighted to the ICO some mitigating factors that led to the breach. Further, they demonstrated that they had taken some relevant and appropriate actions to reduce some of the risk to the best of their ability once the incident had been discovered.

Because of this transparency and willingness to act quickly to minimise the impact of the data breach, the MOD were able to secure the reduced fine. This was initially reduced to ￡700,000 for mitigating factors and then to ￡350,000 for their swift action.

?

So what does any of this mean for an organisation?

Now this is the question we should be asking! Over the years, I have realised why many organisations place a high premium on the concept of responsiveness. Customer Care teams have long honed this ‘responsiveness’ concept.

Responsiveness is not only promoted at organisational level, but it is also being promoted in our private/personal spaces - our homes. The trendy term for “responsiveness” at home is, “being present.”

Did I hear you say, “hang on, now we are reading about people’s homes and households??”? Perhaps it was my imagination. Anyway, I am sure the connection between individuals’ personal data and their personal spaces (home) is an obvious link.

To conclude, how we respond to data breaches matters. Our response and responsiveness will determine whether the chicken bites and how badly the bite hurts. A swift and considered response allays the fury of an aggrieved data subject and ultimately this works in favour of organisations when faced with the risk of reputational damage and loss of business, as well as financial risks resulting from ICO potential fines.