Data protection affects everyone, as the Ritz Hotel discovered – their customers have been victims of scammers, who used the personal data of customers who had made reservations at the Ritz to obtain bank and credit card details directly from the customers over the telephone. The card details were used by the scammers to buy goods from Argos.
It is not yet clear how the personal data was obtained, nor how successful or far-reaching the scammers have been. What is clear is that it was not initially the customer’s financial or payment card details that were leaked, but that the scammers effectively leveraged the personal data they could obtain (the telephone contact details and names of customers who had made reservations), to call customers, posing as hotel staff and ask for payment details to confirm the reservations.
How does this involve a data breach?
It may be quite a low-tech scam, but it did involve a data breach under the GDPR (as well as a fraud to report to the police). The Ritz has since contacted the ICO to report a potential data breach, also notifying the public generally (via Twitter) and its customers of the incidents.
When should the ICO be notified?
The decision as to when to notify the ICO of a potential personal data breach can be a difficult one to evaluate and not all breaches warrant reporting to the ICO.
If you suspect a personal data breach may have occurred, the first thing is to identify the nature of the personal data that has been inadvertently shared and assess whether the breach poses a risk to people. What is the likelihood and severity of the risk to people’s rights and freedoms flowing from the breach? For this, you may have to take the circumstances of the breach into account, how quickly the breach was discovered and the actions you have taken since discovering it.
If it seems likely there will be a risk of harm to the personal data subjects, then you must notify the ICO and, in certain situations, also the personal data subjects directly, to enable them to take action to protect themselves from the potential harm. If it is unlikely that the personal data subjects will suffer harm, then you don’t have to report the leak to the ICO, but should take care to document the breach yourself (for internal record keeping and evidence) and the decision making process leading to you not notifying the ICO.
Points to remember
First of all, what constitutes a personal data breach? A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
It is important to remember that personal data can be stored in a number of ways, not just digitally or online; it may be stored handwritten, in a hard copy traditional file, in which case a leak could occur by leaving that file on the train, for example.
There are different types of personal data, including ‘special category’ personal data, where the sensitivity of the personal data must be taken into account when assessing the likelihood of harm that may flow from a breach.