The offshore wind sector has brought new and exciting opportunity to our shores and companies, large and small, are eager to capitalise on its growing success. While this should of course be supported and encouraged, there is always risk attached to any new venture. However, by taking the necessary steps, such risk can be mitigated. In a special report, Wilkin Chapman’s GDPR specialists, Jonathan Goolden and Adam Ottley, look at how the massive data protection breach that hit British Airways during the summer should be a warning to all companies.
The recent data protection breach to hit the headlines worldwide should not be ignored by firms looking to secure or renew contracts within the wind energy sector.
Jonathan says, “The British Airways breach was enormous – taking place over a two-week period at the height of the summer season, it affected 380,000 transactions with names, email addresses and credit card details - including the long number, expiry date and the three-digit CVV security code – stolen by hackers.”
Adam says, “There may be a false assumption that firms securing contracts in other sectors, and that are perhaps not as large, need not worry about such a breach. However, that is far from the case and, while such an incident on a smaller scale may not affect as many people, it will be just as serious for all those involved.”
To put it simply, if you are a company that stores data, or has a third-party organisation doing so on your behalf, then you are at risk and must ensure that you are GDPR compliant and any contracts you enter into afford you adequate protection.
Jonathan says “You may hold electronic data records of contractors or suppliers within the sector yourself. Or you may use a third-party to handle your payroll or HR services – in which case you must ensure both you and they are compliant with current regulations and your systems are as secure as possible.
It would appear, from the cases we have heard about already this year, that the most vulnerable amongst you will be those who do use a third-party to hold data. As a result, let us look at how you can best protect yourself:
All businesses that outsource services to third-party ‘processors’ of personal data need to put a written contract in place – this should have been implemented by 25 May 2018; however if you have missed this deadline then it is not too late to rectify this position so as to ensure you are compliant. The contract must contain certain fundamental clauses, which are set out in the regulation.
This is not a box-ticking exercise – the adoption of new contractual terms is mandatory, however additional work should be carried out to ensure continuing compliance. An element of due diligence should also be carried out on suppliers, proportionate to the scale of the processing and the sensitivity of the data they will receive. This would involve vetting new suppliers and revisiting old suppliers to ensure that their internal systems are geared up to comply with the new terms that have been introduced.
Where a significant amount of data is being processed or the data is particularly sensitive, I would suggest going further than the bare minimum GDPR-compliant clauses, for example by imposing obligations on suppliers to:
pseudonymise and encrypt personal data;
take steps to bolster the availability and resilience of the supplier’s systems and services;
ensure that access to personal data can be restored in a timely manner after an incident;
regularly assess and evaluate the effectiveness of their technical and organisational measures.
Where possible, controls should be introduced on the ability of any third-party processor to subcontract its processing services – this is because the further removed you are from the processing the harder it is to be certain that the relevant supplier is compliant and as the party who controls the data you are ultimately responsible. These sub-processors should be subject to the same due diligence/vetting exercises as the main suppliers.
Know where your suppliers are located and where they send personal data (whether intra-group or externally). Additional protections need to be put in place for data subjects, where their data is being transferred outside of the EU.
The above may seem daunting and to make the most of the opportunities that currently exist, any company will want to act fast to ensure they do not miss the ‘wind energy’ boat. But in doing so, please take the time to seek good advice with regards to contracts and on-going GDPR compliance.”