Before the General Data Protection Regulation took effect, much of the commentary focused on the level of fines which might be levied for GDPR breaches. That there are other implications of GDPR breaches appears from an interesting article by Cordery called UK appeal court ruling on spreadsheet data breach damages case.
The article reminds us first that individuals affected by a data breach can bring claims for compensation or damages against the organisation responsible for the breach. Second, it reminds us that spreadsheets (historically a problem in electronic discovery anyway) are frequently the source of inadvertent disclosure by data breach.
There is a third point, which Cordery is too tactful to mention. I have no such inhibitions. The offending organisation was the UK Home Office, an organisation which combines incompetence and a singular degree of unpleasantness dating back (at least) to the time when Theresa May was Home Secretary, keen to create a “hostile environment” for anyone whose race, skin colour, or religion did not meet the approval of the far right wing of the Conservative party. By the time of the appeal judgment discussed by Cordery, May’s successor Amber Rudd had been forced to resign because of the Home Office’s handling of the Windrush generation. Yesterday, the Court of Appeal found that the Home Office “materially misled” a High Court judge and displayed “a serious breach of duty of candour and cooperation” in relation to the handling of child refugees from Calais. This was not a data breach case, though spreadsheets and personal data were again involved, but lack of candour towards the court is a recurring theme in matters of disclosure.
It may be said that the Home Office really doesn’t care too much about its reputation – its pen-pushers get their salaries and pensions anyway, and the present Home Secretary, Sajid Javid, though better than his two immediate predecessors and apparently willing to make a stand on some issues, has his eye on the top job and won’t want to fall out with the 30 or so far right MPs who really control the Conservative party. Besides, the Home Office is a hotbed of institutional incompetence, and could not remedy its defects if it tried.
Nevertheless, the various incidents involving the Home Office illustrate a point which I and others have long been making about data breaches – the fines, however high they go, might be the least of the issues faced by an organisation which gave inadequate protection to the personal data in its care. If the Home Office bureaucrats really don’t care about their reputation, that is not a luxury enjoyed by organisations with customers and shareholders watching them.