Mishcon Academy: Digital Sessions – Self-reporting to Regulators – advantages, imperatives and pitfalls

Adam Epstein

My name is Adam Epstein.  I’m chairing today’s discussion.   The discussion today relates to the issues that you and your business need to consider about self-reporting to regulators.  Let me introduce you to our panellists.  So, the first panellist is a guest from outside, from the ICO, is Laura Middleton.  She’s the Group Manager for the ICO’s Personal Data Breach Service.  And then in terms of the Mishcon folk we have here Jon Baines.  Jon is a Senior Data Protection Specialist here.  Niki is a Partner in our Betting and Gaming Group.  And finally I probably tell you who I am, I’m a partner here.  I run the Regulatory Group and my particular expertise is in dealing with what we call distressed actions with the regulators.  So, any kind of tricky situations that people have.  So, let me start the discussion by just telling you a little bit about what we mean by self-reporting.  Because obviously there’s, there’s all kinds of reporting that folk have to do in the regulated sectors, you know, annual reports or transaction reports.  We’re not talking about that kind of reporting here.  The self-reporting that we’re talking about here is effectively when you’re having to confess to the regulator that you’ve done something wrong or there’s been some kind of a breach in order to give people a sense of where everyone’s coming from.  It would just make sense to start with a little bit of context.  So, Niki can you just tell us a little bit about what the gambling commission requires by way of self-reporting?

Niki Stephens

The requirements for businesses licensed by the gambling commission kind of fall into two categories.  There are a number of specific reporting requirements and then there are some more sort of general overriding principles.  And on the sort of more specific side, most of the time we’re looking at things that require notifications to be made to the regulator and those are known as key events and broadly speaking, those are events that could have a significant impact on the nature or structure of the business.  As I mentioned, there’s a number of other sort of specific notification requirements under the licence which would include a breach of the licence conditions themselves or the social responsibility code – provisions of the ALCCP but as I say, there are also some overriding disclosure requirements which are more relevant to this discussion in particular.  The Gambling Commission expects licensees to work in an open and cooperative way and to disclose to it anything which the Gambling Commission could reasonably expect to know.  And there’s a similar expectation that’s actually set out in the LCCP which includes anything that’s likely to have a material impact on the licensee’s business or its ability to conduct its activities compliantly.  So, those are the kind of situations where a number of different and sometimes competing factors will come into play. 

Adam Epstein

So, Laura can you tell us what the requirements are for self-reporting and why the ICO regards those requirements as being important. 

Laura Middleton

So, there’s a legal requirement to report certain personal data breaches to the ICO so, it’s, it’s not optional.  By personal data breach we mean a breach of security leading to amongst other things, the accidental or unlawful destruction, loss, disclosure, access to personal data so, it isn’t every time you might fail to comply with the, the UK GDPR.  Why it’s important is by telling the ICO that you’ve had a breach, you allow us the opportunity to provide you with advice and guidance at that really early stage.  If we know about the breach then it helps us kind of manage complaints and enquiries from people who might be affected.  We use the information that we get from data breach reports to look for trends.  So, for example we might look at particular sectors to see what the common breach types are in those sectors and then we try and use those trends to turn that into advice and guidance. 

Adam Epstein

I thought I’d bring in one of our competition partners and as if by magic here he is, Neil Bayliss.  If you could just explain to the audience how it is that self-reporting works in competition and how that obviously contrasts a bit and you can see a different impetus for that and for the other regulators. 

Neil Bayliss

Yeah so, as you know Adam the CMA is the UK regulator for competition and much consumer law as well.  There’s no mandatory reporting requirement as such.  What there is, is a very generous leniency programme encouraged, which encourages people to come forward if they have been a participant in a cartel.  The law allows them to come forward to CMA, fully disclose what they’ve done and participate in the investigation with the CMA.  It’s certainly better than the potential of a 10% of all turnover fine. 

Adam Epstein

Okay thanks so much for that Neil.  But what I really want to explore is the different elements that can go into decision-making that, that organisations may have about whether to self-report or not.  And one element realistically of that, the calculus that, that people make is the regulator’s going to find out anyway.  There’s an obvious benefit isn’t there to making a virtue out of it?  And that I think probably comes up a reasonable amount in data, which is why I wanted to ask Jon. 

Jon Baines

The advent of GDPR did a few things and one thing it did do was, was raise the awareness of the general public around the issues of data protection.  And what we see now is that increasingly the media and I’d include social media in that, pick up quite quickly on issues that, that might be data breaches.  So, what, what we have found with some clients is while they are internally just becoming aware of an issue, already the media are starting to run with it.  I think this raises quite interesting issues for controllers as to whether they need to notify the ICO.  Effectively, you only have to notify those breaches where there is likely to be a risk to the rights and freedoms of natural persons.  And that test, that threshold, is not always straight forward to test.  So, the question may be, ‘Should we make this notification anyway even if the threshold might not be met, do we make a notification because at least we are in, in some respects controlling the information flow?’

Adam Epstein

Laura, how about if somebody decided, they took the decision not to report but the regulator then found out about it and took a different view.  What would the ICO… what are the consequences of a failure to report if you, the ICO, think a report should have been made?

Laura Middleton

We do expect organisations when we’re carrying out an investigation to be open with us and so it’s possible that if we decided to move to a sanction that we would sort of take the fact that we found out about a breach in a way that wasn’t from a direct self-report, that we would take it into account there.  Or perhaps if we were taking action for the breach of security itself so failure to have some sort of control or measure in place to prevent the breach from happening in the first place we might then you know, almost add an additional line to that sanction about the failure to report. 

Adam Epstein

Can we… can we just think about maybe what some of the more positive reasons for reporting might be?

Niki Stephens

I mean one of the things that we’ve touched on already is this idea of being open and cooperative with your regulator and so one of the main advantages of self-reporting is that you avoid that criticism.  But there are some other sort of key advantages that I think are relevant to the decision-making and critically, or one of the key advantages is controlling that narrative and the flow of information.  You know, a carefully crafted notification provides the regulator with enough information to be able to properly understand and assess the issue.  You can also use it as an opportunity to try and forestall any questions that the regulator might have and the benefit of that is that if you provide too little information or they are bombarded with too much information you know, the regulator might not quite be able to make head or tail of what’s happening and take a more sort of scattergun approach in response, in a bid to find out the information it needs.  Ultimately the regulator’s interested in you know, working out whether there’s been a breach of a regulatory obligation or if there’s an ongoing risk to the licensing objectives or harm or risk to consumers and by controlling that narrative you can assure the regulator that you are continuing to take steps that are necessary to address those particular risks and minimise harm.  I think one of the other advantages that’s worth sort of touching on is the fact that if regulatory action does follow and there is a payment in lieu of a financial penalty made as part of a regulatory settlement, the Gambling Commission will take account of any early and voluntary disclosures that have been made. 

Adam Epstein

So, those are the kind of some of the positive reasons for why you might report.  The reasons why people might not want to report, I guess in some senses are very obvious.  What I wanted to think about actually is maybe some of the less obvious risks.  And I know that Jon from his work has got a good sense of other risks that may be less obvious to people. 

Jon Baines

A personal data breach as defined in Article 4.12 of the UK GDPR is a neutral thing and you should still notify this neutral even to the ICO.  I mention that just because there is, certainly with personal data breaches that go public, even though it doesn’t if you like constitute any concession of fault on your part, what we increasingly see is what the phrase I keep coming back to – the long tail of a data breach – and that really consists of potentially a regulatory investigation but also complaints and increasingly claims or letters before claim, menacing letters coming in and the solicitors take the view, the law firms that this happened, therefore you must be at fault therefore we’re going to threaten you with legal action. 

Adam Epstein

Are there circumstances in which an organisation might notify a data incident or breach to you and you then effectively lean on the organisation to contact its customers to make sure that they can be made good or people can make claims?

Laura Middleton

There is a requirement to notify data subjects in certain circumstances.  So, that is where the risk to those data subjects is considered to be a high risk.  So, it’s a higher risk than reporting to the ICO to start with.  So, if we thought we were in that territory then we could be, we would be encouraging the organisation to contact the affected data subjects and if that wasn’t done voluntarily then we have powers to compel the organisation to inform those data subjects.  On the subject of complaints, I would almost say I can, I can see that we were talking about maybe some of those breach reports that are made that don’t meet the threshold.  I think sometimes organisations almost like to get ahead of a complaint and make their notification to the ICO first, even if they’re not strictly required to do so, almost because they’re kind of seeing how things might play out with individuals in the future and they’re thinking, ‘Oh well,’ almost like, ‘If we come to the ICO then we can show that you know, we’re being open and honest’.  Making that notification to the ICO doesn’t necessarily kind of absolve you of dealing with those complaints.  So, if the ICO’s view is as Jon said, ‘Oh we can kind of…’ or ‘You’ve explained how this has happened and we can see how that’s happened and we don’t think there’s an underlying issue that’s led to this breach occurring.  So, from our point of view there’s nothing more for you to do’.  That kind of doesn’t get round dealing with that complaint and you might still have those complaints to deal with at a, at a later stage. 

Adam Epstein

So, what I’d like to talk about now is making sure that you as an organisation are in a position to recognise when you actually need to self-report and I know Niki’s got a few things to say about training and ensuring that people know what needs to be self-reported. 

Niki Stephens

Put simply, you know training is an imperative part of ensuring that there is a general awareness within the business of the licensee’s obligations to report and ensuring that that training extends beyond your sort of compliance teams.  You know, often we see businesses with very good training materials in place but they just aren’t delivered to the people on the grounds. 

Adam Epstein

In regulation there has been a real direction of travel over the last few years towards personal accountability.  If I could just ask really quickly, first Niki and then Jon, how they see accountability playing out in betting and gaming and in data where it’s less obviously developed at the moment. 

Niki Stephens

You know, as you say there’s that same expectation of people in senior positions and personal management holders, license holders, as it does of the licensee, the corporate entity expects those people to disclose anything to the Gambling Commission that it would reasonably expect to know, it expects them to be open and cooperative and what we’ve seen certainly in the last couple of years is that where the corporate entity has it’s license reviewed, it’s increasingly common for the personal management license holders to have their PML’s reviewed as well as a sort of follow-on to the main license review. 

Adam Epstein

Jon, it works somewhat differently doesn’t it, in data?

Jon Baines

The data protection framework works on the basis that the legal person that’s accountable is the organisation, the company and I just stress some people sometimes think, ‘Oh well, if there’s a data protection officer then it must be them who’s accountable’.  I think it’s crucial to say that’s, that’s neither the role nor the responsibility of a DPO to take everything on their shoulders, they effectively perform an advisory role within an organisation. 

Adam Epstein

In a, in a number of situations there might be a number of different regulators.  So, there could be different regulators domestically or there could be different regulators internationally and that might impact how people will decide to deal with self-reporting issues.  Do you want to just tell us a little bit about that?

Jon Baines

So, the UK as I guess everyone knows, is no longer part of the EU.  We’re now subject… companies controllers in the UK are subject to the UK GDPR.  The EU GDPR carries on regardless in the rest of Europe and what that creates is the slightly problematic position for companies who are operating in the UK and in European countries in that when it was all one thing, one EU and one GDPR there was the concept of a lead supervisory authority.  With the UK out of the EU now, there is a risk that you’re actually, the lead supervisory authority concept falls away for UK controllers and if you’re operating in European countries, you may find yourself having to make notifications to regulators in all of those countries and potentially be subject to regulatory investigations in all of those.  So, that’s a long answer to say it’s complicated. 

Adam Epstein

Thank you to all of you and what I hope people can take from it is that these are the things that don’t only apply to the particular regulated sectors that we’re talking about but can apply across the board and really I just want to say thank you very much and we hope to see you at our future events or digital sessions. 

The Mishcon Academy Digital Sessions.  To access advice for businesses that is regularly updated, please visit mishcon.com.