Skip to content
LegalVision UK

4 Common Challenges Your Company Will Face With the GDPR in the UK

Avatar photo

By Thomas Sutherland

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

The General Data Protection Regulation (GDPR) provides organisations with data protection rules. Primarily, these rules focus on ensuring companies safely handle the personal information of their employees and clients. However, ensuring your business is complying with GDPR is an ongoing process and can be quite complex. Furthermore, failing to do so can result in significant fines for your company. This article will explain four common challenges your business may face when trying to comply with GDPR rules so your company can comply with data protection law. 

Why Is It Important to Comply With the GDPR?

Any breach of the GDPR can lead to an investigation by the Information Commissioner’s Office (ICO). The ICO can provide your company with hefty fines of up to £17.5m for a breach of GDPR rules.

The ICO’s role is to deter businesses from ignoring GDPR rules. So, they are not afraid to provide significant financial penalties as a deterrent. Therefore, your company should make every reasonable effort to learn and ensure you are complying with the GDPR.

Let us explore four common challenges you may face below. 

1. Deciding When to Report Data Breaches

Under certain circumstances, your organisation must notify the ICO of a data breach within 72 hours. However, the test for determining whether your company must do so can be challenging to apply in practice. Essentially, your business must notify the ICO where both of the following statements apply:

  • a ‘personal data breach’ occurs; and
  • that breach could likely result in a ‘risk to people’s rights and freedoms.’

The definition of a personal data breach is fairly broad. It includes a large variety of leaked information and any security breach which leads to the accidental or unlawful: 

  • destruction;
  • loss;
  • alteration;
  • disclosure; or 
  • unauthorised access to personal data. 

However, the definition of ‘people’s rights and freedoms’ is a bit more complex. Ultimately, this rule applies to ensure companies refer themselves to the ICO if harm could arise to an individual through the misuse of private information. However, it can be difficult for businesses to know exactly where to draw the line. Further, it can be challenging to determine the difference between a minor data breach and one that could impact the ‘rights and freedoms’ of others. Therefore, it may be worth obtaining legal advice if in doubt, mainly as failure to report a relevant personal data breach is a breach of the GDPR in itself.

2. Ensuring Good System Security and Guarding Against Cyber-Attack

Some of the ICO’s most considerable fines occur with organisations that inadequately guard against the theft of sensitive data. Sometimes, these fines can be as significant as millions of pounds.

Indeed, ensuring your company has sound security and anti-virus protection systems is an ever-changing process. Therefore, information security is an area requiring constant vigilance and improvement. 

For example, firewalls and anti-virus protection systems that were strong ten years ago may potentially be very weak today.

However, some simple measures your organisation can put in place to try and increase its cyber resilience include:

  • training your staff regularly about safe cyber practice (usually concerning the risks of phishing emails and clicking on suspicious links);
  • using the latest, most robust anti-virus software and installing all recommended updates without delay;
  • using complex passwords rather than stock passwords (for example, ‘mYbesTpa55word’ is much better than ‘password’ or ‘admin’); and
  • regularly backing up your digital data in the event of a system failure or cyber-attack. This should help your company relaunch its system and files following an attempted ransomware attack.

3. Deciding Whether to Appoint a Data Protection Officer

There are certain situations in which your company may require a Data Protection Officer (DPO). However, on many occasions, their appointment may not be mandatory. In this case, it becomes more of a business decision whether to do so.

Putting a DPO in place can help your company achieve the following targets by:

  • ensuring knowledge of all relevant GDPR rules;
  • processing data safely and ensuring you are complying with the GDPR;
  • carrying out the best practices concerning data management and guarding against accidental loss of data;
  • ensuring safe data processing of any high-risk information;
  • handling Subject Access Requests quickly and competently; and
  • ensuring certainty around reporting data breaches to the ICO and ensuring reporting within the 72-hour deadline.

4. How to Safely Handle Subject Access Requests

A Subject Access Request (SAR) is a request from an individual (the data subject) to receive a copy of specific information you hold about them. 

Typically, some common ways to safely handle a SAR include:

  • providing the requested information within one calendar month of the request;
  • asking the individual to provide more detail as to which specific documents they are looking for (to help streamline your search);
  • redacting (blank out) any information relating to other individuals (for example, on a document discussing staff salaries, you should redact all other names, home addresses and salary levels); and
  • avoiding the disclosure of materials marked ‘without prejudice.’

Many companies, particularly those without a DPO, choose to engage a lawyer to assist with complex SARs. This can be particularly helpful because the ICO can provide fines for any failure to handle SARs correctly.

Key Takeaways

Overall, the GDPR encourages your business to collect, store, and handle all private data safely and securely.

Further, when this does not happen, the ICO will expect you to inform them of any relevant personal data breach within 72 hours. In addition, having appropriate policies in place and maintaining a sound security system is a great starting point in complying with the GDPR. Indeed, doing this can help you avoid hefty financial penalties from the ICO. 

If you need help ensuring you are complying with the GDPR and data protection rules, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Frequently Asked Questions

When is my business required to appoint a Data Protection Officer (DPO)?

The appointment of a DPO is mandatory where your company’s main activities involve handling ‘special categories of data’ or the regular monitoring of individuals. However, many organisations still appoint a DPO where not mandatory due to the various benefits they can bring to your business.

How does my company safely dispose of physical and digital documentation?

If the documents are in paper, your company can achieve this by shredding the data and using a reputable disposal company. However, if you wish to delete digital documentation, you should consider using specialist deletion software that ensures no one can recover it. Furthermore, you should also delete the data from any digital backups of your IT database.

Register for our free webinars

A Roadmap to Business Success: How to Franchise in the UK

Online
Learn the formula for successfully franchising your UK business. Register for our free webinar today.
Register Now

Corporate Governance 101: Responsibilities For Directors

Online
Learn key responsibilities for new directors to avoid legal risks. Join our free webinar to learn more.
Register Now

Business Divorces: Exiting Directors and Shareholders From Your Company

Online
Removing a board director is not simple. Join our free webinar to understand your options. Register today.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

5 Key Steps to Take Before Signing a Business Contract in the UK

Do Directors Have a Duty of Care in the UK?

Privacy Laws in England and Wales: What are Your Obligations as a Business?

Privacy Obligations When Developing Apps in England and Wales

We’re an award-winning law firm

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards

  • Award

    2021 Fastest Growing Law Firm in APAC - Financial Times