Skip to content
LegalVision UK

Three Common GDPR Issues for Companies in England

Avatar photo

By Thomas Sutherland

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

As a business owner, you need to safely handle your staff and customers’ personal data. The General Data Protection Regulation (GDPR) provides your organisation with data protection principles in England. However, these rules are not always straightforward, and any breach of GDPR rules can lead to a hefty fine from the Information Commissioner’s Office (ICO). This article will explore three common GDPR-related issues for companies in England, so your business can fully comply with data protection rules and reduce the risk of a heavy ICO fine. 

Why is GDPR Compliance Important in England?

Before exploring some common issues, it is important to examine why compliance with the GDPR is vital for your business.

The main reasons for compliance fall into three broad categories: 

  • legal;
  • reputational; and 
  • financial.  

Tackling the legal perspective first, your business needs to operate lawfully and in line with legislation. If your organisation fails to do so, it leads to reputational problems by way of bad publicity and loss of consumer confidence, as well as a potential financial penalty from the ICO.

Now we know the importance of the GDPR, let us explore three common GDPR-related issues.

1. Adequate Precautions

Cyber attacks against businesses in England are on the rise. In recent years, cybercriminals have been targeting companies due to the value of their customer data.

There are two main types of common cyber attacks: 

  • ransomware attacks; and
  • data breaches.  

The first relates to cyber criminals locking you out of your system and demanding money to restore access. Data breach attempts involve hackers aiming to steal valuable data from your system for unauthorised use (such as identity theft).

The GDPR requires your organisation to take appropriate and continuous measures to guard against cyber attacks. Some examples of good cyber practice include:

  • carrying out cyber security audits at least once a year;
  • providing staff with cybersecurity and data protection training (and refresher courses);
  • updating software and operating systems without delay; and
  • using strong passwords and enabling two-factor authentication (when a second device is required to grant access after password entry).
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

2. Safe Use of CCTV

Many business owners are unaware that the ICO can impose GDPR fines for improper CCTV use. The GDPR classifies CCTV recordings as ‘personal data’, giving that information a protected status.  Because of this, the ICO expects your company to follow certain procedures when operating a CCTV system, which includes:

  • carrying out data protection impact assessments (DPIAs) at regular intervals;
  • ensuring safe storage of CCTV video footage;
  • providing appropriate signage warning of the CCTV system near the cameras; 
  • deleting CCTV videos when no longer useful; and 
  • using the CCTV system for a lawful purpose.

The last rule is very important. Generally, your company is only allowed to lawfully operate a CCTV system for one of the following reasons:

  1. safeguarding property;
  2. crime prevention;
  3. ensuring the security of individuals or staff; or
  4. protecting sensitive information from unauthorised use.

3. Handling Subject Access Requests 

Many business owners are familiar with subject access requests (SARs). Often, they can increase a business’s administrative burden. Nevertheless, the GDPR requires businesses in England to correctly handle and process SARs. Unfortunately, this is not always a simple process. However, your business can make the process simpler by:

  • asking the individual for any further information or detail needed to provide a complete and accurate bundle of documents;
  • providing the requested documentation within a month of the SAR;
  • redacting (striking out) parts of documents which contain personal information relating to other individuals; and
  • avoiding the disclosure of confidential information (including documents marked ‘without prejudice’) or trade secrets.

If the SAR touches upon sensitive information, it is advisable to consider obtaining legal advice before finalising the SAR process and providing documents to the relevant individual. This is useful in protecting your valuable data and avoiding any potential fines from the ICO for non-compliance with data privacy rules.

Key Takeaways

Over recent years, many businesses have grappled with GDPR implementation and ensuring the safe storage of sensitive personal data. Because of this, many company owners have turned to lawyers to help meet the various GDPR requirements. Most businesses struggle with implementing adequate data protection, safely using CCTV and accurately handling SARs.

If you need help complying with the GDPR, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page

Frequently Asked Questions

Why do the ICO punish firms for suffering cyber attacks?

The ICO punishes organisations that suffer cyber attacks due to weak system security. This is because all businesses in England have an obligation under the GDPR to take every reasonable measure to protect personal data from unauthorised access or theft.

Do the ICO regularly hand out fines in the millions of pounds?

No, the £17.5m maximum fine level is a ceiling, and financial penalties in the millions are pretty rare. However, the ICO is not averse to handing out fines in the thousands or tens of thousands of pounds, so your business should be cautious of any GDPR breaches.

Register for our free webinars

Selling a Business: Tips for a Successful Sale

Online
Selling your business? Learn essential tips to reduce risk and achieve a successful sale. Register for our free webinar today.
Register Now

How to Recover Unpaid Debts from Customers and Suppliers

Online
Struggling with unpaid debts? Discover your options. Register for our free webinar today.
Register Now

Preventing Employee Competitors: How to Protect Your Business

Online
Learn how to protect your business from employee competitors. Register for our free webinar today.
Register Now

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

4 Common Challenges Your Company Will Face With the GDPR in the UK

Five GDPR-Related Cybersecurity Mistakes Business Owners Make in the UK

How Does GDPR Affect My Business?

When Could Your Business Face a Fine From the ICO for Breaching the GDPR in the UK?

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards