<img src="https://ws.zoominfo.com/pixel/kZxG1sNctrruFoZSPoVD" width="1" height="1" style="display: none;">

The first GDPR rulings on spreadsheet breaches are in – are the floodgates opening?

The impact of GDPR is starting to be felt. The UK Home Office appealed a data breach ruling under new legislation with an interesting outcome for businesses working with spreadsheets.

Since the General Data Protection Regulation (GDPR) came into force in May, there has been little obvious activity in terms of enforcement of the new legislation. To those not involved in the work of regulators behind the scenes, it might seem like the threat of GDPR was as hyped as Y2K.EnsureThatYourDataIsSafeandSecure

However, the threat of enforcement and prosecution is very real and behind the scenes, a lot of activity is actually occurring. In fact, the Information Commissioners Office (ICO), which is the British data protection body, received 1,106 data protection complaints in the three weeks following the GDPR coming into force on 25th May, as well as an increase in data breach notifications.

Interestingly, the view across Europe varies hugely, with Belgium reporting just 3 complaints in 26 days, Ireland receiving 547 Data Breach Notifications and 386 Complaints, and Poland reporting 756 in 37 days (according to data gather by IAPP from DPOs across Europe).

There are thousands of reports waiting to be investigated by regulators across Europe, and it will be interesting to see the outcomes of the first GDPR governed cases.

However, one case that has concluded recently unsurprisingly involves a data breach related to spreadsheets. While this breach was first identified and the case concluded in 2016, an appeal took place in June this year with interesting results.

The case of The Secretary of State for the Home Department & Anor v TLU & Anor [2018]

Back in 2016, the UK Home Office inadvertently published a spreadsheet online with details of people who were applying for asylum or permission to stay in the UK. Information included sensitive and personally identifiable data. It took almost two weeks for the breach to be noticed and the spreadsheet to be removed, and a further few weeks for it to be reported to the ICO. During the 13 days that it was accessible online, it was further posted on a US website by a member of the public and was again, removed 24 days later. A statement was made in Parliament and any individuals who were still in the UK were notified of the breach. No action was taken by the ICO. 

Relevant individuals claimed for damages and received between £2,500 and £12,500 in compensation. In one case this included family members of one of the individuals named. The Home Office appealed this decision stating that they had not been personally identified in the spreadsheet.

The appeal was rejected and the victims were granted compensation as agreed under the original ruling. This case is of particular interest for a few reasons.

Firstly, the victim’s family members were allowed to sue as well even though they had not been specifically named. There was evidence that they could be identifiable, and had been identified through the spreadsheet. This judgement took into account the broader definition of what personal data is encompassed by the GDPR, rather than the narrow meaning under the Data Protection Act.

Secondly, the previous directive was rather vague about what data subjects could sue for and the focus was more on material damages, rather than stress. In this case, victims and their family members were able to sue for material anguish and suffering, rather than just actual losses. Under GDPR there is no limit on potential damages for this. So while the pay out in this case was relatively small, it is a warning for companies who do not make data protection a priority.

Finally, having a judgement like this so early on under the new regulation will likely set a precedent for future cases. It passes the power firmly into the hands of individuals rather than businesses, which will potentially open the gates for more cases and larger fines.

GDPR is not just a challenge for Europe

While there was a lot of press leading up to the new laws governing data protection, Europe is not the only place where legislation is tightening. For example, the California Consumer Privacy Act of 2018 will come into force in 2020 and uses similar language to the GDPR. India has also brought in similar legislation to protect privacy under the proposed Personal Data Protection Bill of 2018. So we are seeing changes being made across the globe and it is time for Risk Managers to stop biding their time to see what enforcement of these laws looks like and take action to protect their business.

To do this, Risk Managers need to identify the jurisdictions that relate to their business, understand the laws and plan a risk management approach in line with these risks.

The Data Governance module from Ventiv is an add-on to RiskConsole Advance, our risk management application, which centralizes risk management and allows you to know where all your data is stored. With restricted reporting that is compliant with GDPR, it reduces the risk of spreadsheets running rampant and it allows for better control of your risk footprint.

Get in touch with the team at Ventiv Technology today to understand how the Data Governance module could help you meet your data protection obligations.


Scott Wilson is Chief Information Security Officer & Privacy Officer for Ventiv Technology. Contact Scott at scott.wilson@ventivtech.comConnect with Scott at LinkedIn. 


Read the eBook now

Sep 18, 2018

 | Originally posted on 

Subscribe by Email