I'm not ashamed to admit that I am busy counting down the days at the moment. Having spent a lot of this year feeling like I was one of the few people getting excited about it, it now feels like it's suddenly everywhere. And before much longer there will be that glorious morning when I wake up, eyes aglow, to see what the world looks like blanketed under a wonderful canopy of new data privacy legislation.
Still, that's not until next May, and in the meantime there's Christmas to get past so that we can start focusing again on the exciting stuff like Article 29 Working Party guidance, and the next Commons stage of the UK Data Protection Bill.
So, to help the time pass, I have prepared a series of posts which I am going to be putting out on a daily basis via Passle over the next three and a half weeks. Through these I am going to use what I must stress is an entirely imaginary case study to pick up on a number of the data privacy issues that I have been asked about this year and flagging up some of the ways in which we really will be operating in a new regulatory landscape from the middle of next year.
So, without further ado - let's open Door 1:
"I have a client, let's call him Nick. He operates a large business, employing many thousands of staff. The business is engaged year round in toy manufacturing, but also has a business critical logistics arm which, once a year, becomes the exclusive focus of the business's activities.
The logistics business is the public-facing part of Nick's operation. For its success it relies on maintaining extremely accurate records of young people, which necessarily include a range of personal data both about the children themselves (name, age, address) and their activities during the year (which are processed in order to establish levels of naughtiness or niceness). Some years ago, Nick discovered that managing this list was becoming unwieldy and appointed a third party organisation (External Logistics Force, or "ELF") to process this data on behalf of his organisation.
So, it's December 1st and Nick has just been informed that an ELF employee has accidentally left a portion of the above records on an unencrypted and publicly accessible cloud server, for several months earlier this year. He has been told by ELF that they have just discovered this and are working to investigate and shut down the breach, but urgently needs to know what he should do next.
Come back tomorrow to find out about our first steps to assist him in those first critical 24 hours..."
What should I do if there is a security breach? If, despite the security measures you take to protect the personal data you hold, a breach of security occurs, it is important that you deal with the security breach effectively. The breach may arise from a theft, a deliberate attack on your systems, from the unauthorised use of personal data by a member of staff, or from accidental loss or equipment failure. However the breach occurs, you must respond to and manage the incident appropriately. Having a policy on dealing with information security breaches is another example of an organisational security measure you may have to take to comply with the seventh data protection principle.