Giant hack: Advice for umbrella company contractors with personal data potentially exposed

Contractors with Giant Group or another umbrella company confirming itself to be the victim of hacking should first check if the umbrella is in-line with its UK GDPR obligations, notably Article 33 – notification to the ICO, and Article 34 – notification to data subjects, writes solicitor Charlotte Gerrish, founder of data law firm Gerrish Legal.

Reporting duty

This is because any company acting as a data-controller which has been subject to a data breach, and especially an umbrella company storing sensitive personal data, potentially including work permits, visas, ID, payroll or tax information, needs to report such breach to a supervisory authority.

In the UK, that authority is the Information Commissioner’s Office and the reporting must be carried out no later than 72 hours after having become aware of the breach, UNLESS the personal data breach is unlikely to result in a risk to individuals’ privacy rights. If there has been a delay (to the reporting), or the umbrella company decided not to report to the ICO, affected contractors should ask why.

Eight other things contractors should ask

Affected contractors can also ask their umbrella company, if hacked, for details about:

• the nature of the personal data breach including the categories and approximate number of data subjects concerned;
• whether any other controllers/processors were involved in or contributed to, the breach;
• what personal data records have been subject to the breach;
• how many records have been affected;
• a description of the umbrella company’s assessment on the likely consequences of the personal data breach for affected contractors;
• the measures taken or proposed to be taken by the umbrella company to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects;
• whether the clients of the umbrella company (where the contractor is performing services) have been affected by the breach and the consequences for the contractor / next steps for the contractor to take;
• ask for the name and contact details of the umbrella’s data protection officer or other contact point/person, where more information can be obtained

Further actions for contractors using a hacked umbrella

Contractors need to be able to protect themselves in the event of a breach, and so need all relevant information to take the relevant steps to do so – such as by informing their own insurance companies, and taking steps to protect against identity theft or other infringements on their privacy rights.

Seeking the above information is the starting point for handling the potential adverse effects on them individually, and on their small company.

Where any client data has been compromised (or the data of any substitute), then the contractor should also check the underlying agreements with those parties to ensure contractors act in accordance with any contractual commitments they signed up to.

Lastly, vet and audit as lax won't be viable for long

Finally, given Giant’s security breach and reports of ‘clone’ umbrella companies set up for the purposes of fraud, it is recommended that contractors vet and audit the GDPR and information security compliance of any new umbrella company BEFORE signing up with that company. In a candidate-driven market, especially where niche and highly skilled IT contractors are extremely sought-after, umbrella companies cannot afford – financially or reputationally -- to be lax with GDPR compliance requirements since contractors can have their pick of providers.