Table of Contents
The General Data Protection Regulation (GDPR) provides organisations with data protection rules. Primarily, these rules focus on ensuring companies safely handle the personal information of their employees and clients. However, ensuring your business is complying with GDPR is an ongoing process and can be quite complex. Furthermore, failing to do so can result in significant fines for your company. This article will explain four common challenges your business may face when trying to comply with GDPR rules so your company can comply with data protection law.
Why Is It Important to Comply With the GDPR?
Any breach of the GDPR can lead to an investigation by the Information Commissioner’s Office (ICO). The ICO can provide your company with hefty fines of up to £17.5m for a breach of GDPR rules.
The ICO’s role is to deter businesses from ignoring GDPR rules. So, they are not afraid to provide significant financial penalties as a deterrent. Therefore, your company should make every reasonable effort to learn and ensure you are complying with the GDPR.
Let us explore four common challenges you may face below.
1. Deciding When to Report Data Breaches
Under certain circumstances, your organisation must notify the ICO of a data breach within 72 hours. However, the test for determining whether your company must do so can be challenging to apply in practice. Essentially, your business must notify the ICO where both of the following statements apply:
- a ‘personal data breach’ occurs; and
- that breach could likely result in a ‘risk to people’s rights and freedoms.’
The definition of a personal data breach is fairly broad. It includes a large variety of leaked information and any security breach which leads to the accidental or unlawful:
- destruction;
- loss;
- alteration;
- disclosure; or
- unauthorised access to personal data.
However, the definition of ‘people’s rights and freedoms’ is a bit more complex. Ultimately, this rule applies to ensure companies refer themselves to the ICO if harm could arise to an individual through the misuse of private information. However, it can be difficult for businesses to know exactly where to draw the line. Further, it can be challenging to determine the difference between a minor data breach and one that could impact the ‘rights and freedoms’ of others. Therefore, it may be worth obtaining legal advice if in doubt, mainly as failure to report a relevant personal data breach is a breach of the GDPR in itself.
2. Ensuring Good System Security and Guarding Against Cyber-Attack
Some of the ICO’s most considerable fines occur with organisations that inadequately guard against the theft of sensitive data. Sometimes, these fines can be as significant as millions of pounds.
Indeed, ensuring your company has sound security and anti-virus protection systems is an ever-changing process. Therefore, information security is an area requiring constant vigilance and improvement.
However, some simple measures your organisation can put in place to try and increase its cyber resilience include:
- training your staff regularly about safe cyber practice (usually concerning the risks of phishing emails and clicking on suspicious links);
- using the latest, most robust anti-virus software and installing all recommended updates without delay;
- using complex passwords rather than stock passwords (for example, ‘mYbesTpa55word’ is much better than ‘password’ or ‘admin’); and
- regularly backing up your digital data in the event of a system failure or cyber-attack. This should help your company relaunch its system and files following an attempted ransomware attack.
3. Deciding Whether to Appoint a Data Protection Officer
There are certain situations in which your company may require a Data Protection Officer (DPO). However, on many occasions, their appointment may not be mandatory. In this case, it becomes more of a business decision whether to do so.
Putting a DPO in place can help your company achieve the following targets by:
- ensuring knowledge of all relevant GDPR rules;
- processing data safely and ensuring you are complying with the GDPR;
- carrying out the best practices concerning data management and guarding against accidental loss of data;
- ensuring safe data processing of any high-risk information;
- handling Subject Access Requests quickly and competently; and
- ensuring certainty around reporting data breaches to the ICO and ensuring reporting within the 72-hour deadline.
4. How to Safely Handle Subject Access Requests
A Subject Access Request (SAR) is a request from an individual (the data subject) to receive a copy of specific information you hold about them.
Typically, some common ways to safely handle a SAR include:
- providing the requested information within one calendar month of the request;
- asking the individual to provide more detail as to which specific documents they are looking for (to help streamline your search);
- redacting (blank out) any information relating to other individuals (for example, on a document discussing staff salaries, you should redact all other names, home addresses and salary levels); and
- avoiding the disclosure of materials marked ‘without prejudice.’
Many companies, particularly those without a DPO, choose to engage a lawyer to assist with complex SARs. This can be particularly helpful because the ICO can provide fines for any failure to handle SARs correctly.
Key Takeaways
Overall, the GDPR encourages your business to collect, store, and handle all private data safely and securely.
Further, when this does not happen, the ICO will expect you to inform them of any relevant personal data breach within 72 hours. In addition, having appropriate policies in place and maintaining a sound security system is a great starting point in complying with the GDPR. Indeed, doing this can help you avoid hefty financial penalties from the ICO.
If you need help ensuring you are complying with the GDPR and data protection rules, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Frequently Asked Questions
The appointment of a DPO is mandatory where your company’s main activities involve handling ‘special categories of data’ or the regular monitoring of individuals. However, many organisations still appoint a DPO where not mandatory due to the various benefits they can bring to your business.
If the documents are in paper, your company can achieve this by shredding the data and using a reputable disposal company. However, if you wish to delete digital documentation, you should consider using specialist deletion software that ensures no one can recover it. Furthermore, you should also delete the data from any digital backups of your IT database.
We appreciate your feedback – your submission has been successfully received.