Five Common Mistakes Made by Businesses Handling Personal Data in England

As a business owner, you must handle personal data safely and lawfully. This is a crucial requirement of the General Data Protection Regulation (GDPR), and failing to do so may result in a hefty fine from the Information Commissioner’s Office (ICO). To help, this article will explore five common mistakes made by organisations in England concerning handling personal data. Your business should avoid these mistakes to increase your chances of good data protection compliance.   

What is ‘Personal Data’?

The GDPR contains a broad definition of ‘personal data’ and includes any information that can help identify an individual. ‘Personally identifiable information’ can consist of the following: 

• names;
• postal addresses; 
• mobile numbers; 
• email addresses; 
• IP addresses; or 
• dates of birth.

Personal data does not just relate to written information but also video and audio recordings.

Below are five common GDPR mistakes businesses in England make when handling personal data. 

1. Treating Only Digital Information as at Risk

Information stored on paper comes under the same data protection rules as digital information, yet it can sometimes be more expensive to dispose of physical data safely. This is because sensitive information should be shredded and disposed of using a secure, confidential waste service. Simply placing documents containing personal data within the regular rubbish is a breach of the GDPR as it exposes sensitive information to data theft.

2. Keeping Personal Information for Too Long

The GDPR requires your business to store personal data only for as long as reasonably necessary. So, for example, there is no need to store the home address of a one-time customer who last purchased an item ten years ago unless they have explicitly opted-in to postal newsletters in the interim.

Keeping information beyond its useful lifespan means that your company will have more personal data to lose within a cyberattack, which risks a higher fine from the ICO. This is not to mention that storing a higher amount of digital information costs more, so less data means lower costs.

3. Not Providing Staff With Cybersecurity Training

Like most businesses, from small businesses to multinational corporations, your company is likely to use electronic systems. Where your business stores information by digital means, there is a risk of cyberattack and data loss.

Cyberattacks on businesses in England are becoming more sophisticated and commonplace each year, so your company needs to take proactive measures to defend against them. Therefore, you should train your employees to avoid user errors and common traps like phishing emails or virus-laden email links used by cybercriminals to gain unauthorised access to your computer systems. Unfortunately, a successful cyber attack is likely to be classed as a data breach (or personal data breach) by the ICO.

The cost of training your staff is almost certainly lower than the potential cost of losing access to your organisation’s systems within a ransomware attack, alongside facing a possible fine from the ICO. 

Startup Manual

LegalVision’s Startup Manual is essential reading material for any startup founder looking to launch and grow a successful startup.

Download Now

4. Weak Password Systems

While a strong password is a basic security measure, many organisations remain guilty of using predictable, easy-to-crack passwords for important accounts. Nowadays, cybercriminals can gain access to modern computer programs through a brute force attack which is by entering thousands of common passwords in quick succession.

There are two simple solutions to counter this threat:

1. enable two-factor authentication, which will request permission from another device following the entry of the correct password to ensure the genuine user is trying to gain access; and
2. use a unique, unpredictable password containing various letters, numbers and symbols such as ‘!tHew0rld5m0sTunguess@blep@55w0rd!’.

5. Non-GDPR Compliant CCTV System

Many business owners fail to realise that CCTV footage constitutes personal data under the GDPR. This is because it is a form of information which can help identify an individual. To comply with data protection principles, your organisation should try to follow the following rules for your CCTV system:

1. carry out a genuine Data Protection Impact Assessment periodically;
2. delete footage when no longer of use;
3. place CCTV warning signs in easy-to-spot locations around your premises; and
4. safely store CCTV footage to guard against unauthorised use.

While the ICO accepts that many companies have genuine reasons for using a CCTV system, such as for crime prevention, it requires them to do so within reasonable perimeters.

Key Takeaways

As a business owner handling personal data in England, you must comply with relevant data laws. This means you should avoid the common mistakes businesses can make when handling it. This article has explored five common mistakes, such as your business using weak passwords and not training your staff about cybersecurity. Given that the Information Commissioner’s Office can fine companies up to £17.5m for breaches of the UK GDPR, it is worth taking time to handle personal data safely.

If you need help ensuring good GDPR compliance, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page. 

Frequently Asked Questions