Skip to content

Five Common Mistakes Made by Businesses Handling Personal Data in England

Table of Contents

As a business owner, you must handle personal data safely and lawfully. This is a crucial requirement of the General Data Protection Regulation (GDPR), and failing to do so may result in a hefty fine from the Information Commissioner’s Office (ICO). To help, this article will explore five common mistakes made by organisations in England concerning handling personal data. Your business should avoid these mistakes to increase your chances of good data protection compliance.   

What is ‘Personal Data’?

The GDPR contains a broad definition of ‘personal data’ and includes any information that can help identify an individual. ‘Personally identifiable information’ can consist of the following: 

  • names;
  • postal addresses; 
  • mobile numbers; 
  • email addresses; 
  • IP addresses; or 
  • dates of birth.

Personal data does not just relate to written information but also video and audio recordings.

Below are five common GDPR mistakes businesses in England make when handling personal data. 

1. Treating Only Digital Information as at Risk

Information stored on paper comes under the same data protection rules as digital information, yet it can sometimes be more expensive to dispose of physical data safely. This is because sensitive information should be shredded and disposed of using a secure, confidential waste service. Simply placing documents containing personal data within the regular rubbish is a breach of the GDPR as it exposes sensitive information to data theft.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

2. Keeping Personal Information for Too Long

The GDPR requires your business to store personal data only for as long as reasonably necessary. So, for example, there is no need to store the home address of a one-time customer who last purchased an item ten years ago unless they have explicitly opted-in to postal newsletters in the interim.

Keeping information beyond its useful lifespan means that your company will have more personal data to lose within a cyberattack, which risks a higher fine from the ICO. This is not to mention that storing a higher amount of digital information costs more, so less data means lower costs.

3. Not Providing Staff With Cybersecurity Training

Like most businesses, from small businesses to multinational corporations, your company is likely to use electronic systems. Where your business stores information by digital means, there is a risk of cyberattack and data loss.

Cyberattacks on businesses in England are becoming more sophisticated and commonplace each year, so your company needs to take proactive measures to defend against them. Therefore, you should train your employees to avoid user errors and common traps like phishing emails or virus-laden email links used by cybercriminals to gain unauthorised access to your computer systems. Unfortunately, a successful cyber attack is likely to be classed as a data breach (or personal data breach) by the ICO.

The cost of training your staff is almost certainly lower than the potential cost of losing access to your organisation’s systems within a ransomware attack, alongside facing a possible fine from the ICO. 

Front page of publication
UK Startup Manual

LegalVision’s Startup Manual is essential reading material for any startup founder looking to launch and grow a successful startup.

Download Now

4. Weak Password Systems

While a strong password is a basic security measure, many organisations remain guilty of using predictable, easy-to-crack passwords for important accounts. Nowadays, cybercriminals can gain access to modern computer programs through a brute force attack which is by entering thousands of common passwords in quick succession.

There are two simple solutions to counter this threat:

  1. enable two-factor authentication, which will request permission from another device following the entry of the correct password to ensure the genuine user is trying to gain access; and
  2. use a unique, unpredictable password containing various letters, numbers and symbols such as ‘!tHew0rld5m0sTunguess@blep@55w0rd!’.

5. Non-GDPR Compliant CCTV System

Many business owners fail to realise that CCTV footage constitutes personal data under the GDPR. This is because it is a form of information which can help identify an individual. To comply with data protection principles, your organisation should try to follow the following rules for your CCTV system:

  1. carry out a genuine Data Protection Impact Assessment periodically;
  2. delete footage when no longer of use;
  3. place CCTV warning signs in easy-to-spot locations around your premises; and
  4. safely store CCTV footage to guard against unauthorised use.

While the ICO accepts that many companies have genuine reasons for using a CCTV system, such as for crime prevention, it requires them to do so within reasonable perimeters.

Key Takeaways

As a business owner handling personal data in England, you must comply with relevant data laws. This means you should avoid the common mistakes businesses can make when handling it. This article has explored five common mistakes, such as your business using weak passwords and not training your staff about cybersecurity. Given that the Information Commissioner’s Office can fine companies up to £17.5m for breaches of the UK GDPR, it is worth taking time to handle personal data safely.

If you need help ensuring good GDPR compliance, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page

Frequently Asked Questions

Why is the ICO able to hand my company such an enormous fine?

The £17.5m maximum fine level demonstrates that the Information Commissioner’s Office is not afraid of handing out hefty fines to deter companies from ignoring their duties to handle personal data safely.

How important is it to provide data protection training to my staff?

It is vital that you provide data protection training to your staff so that your company is less likely to suffer a cyberattack through user error.

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards