Skip to content
LegalVision UK

Three Major Challenges Companies Face in England Under the GDPR

Avatar photo

By Thomas Sutherland

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

Your business must comply with data protection rules to protect your staff and customers and avoid receiving fines. The General Data Protection Regulation (GDPR) establishes the data protection rules for organisations in England. Data protection law in England is complex and requires proactive measures by businesses to ensure full compliance. This article will focus on three of the biggest GDPR-related challenges companies in England face so your business can overcome them. 

Why Does GDPR Compliance Matter?

Primarily, GDPR compliance guarantees your organisation is processing all information securely and safely. Furthermore, compliance ensures you avoid the risk of receiving a fine from the Information Commissioner’s Office (ICO). The ICO enforces data protection laws, including the GDPR, and any breach of those rules can lead to a hefty fine up to £17.5m.

Let us consider three significant challenges companies encounter and how best to overcome them.

1. Handling Subject Access Requests Safely

A Subject Access Request (SAR) is a written request for all information a business holds on a specified individual. Usually, the individual is a customer or staff member. 

The GDPR issue the following requirements for SARs:

  • provide the required information within one calendar month of the request (subject to limited exceptions);
  • only withhold documentation in limited circumstances (such as where legal privilege applies to emails containing legal advice between your company and any lawyer); and
  • only redact information where genuinely required.

Many genuine questions can arise from reading the above three points, such as: 

  • the limited exceptions to the one-month rule;
  • what legal advice constitutes; and
  • how to safely redact information. 

The appropriate method to resolve these issues will vary according to the case’s unique circumstances. Therefore, you may need to seek legal assistance. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

2. Correct Reporting of Data Breaches

One of your company’s obligations to the ICO is to report a data breach (usually through their website) within 72 hours of becoming aware of one. However, the test for when to notify the Information Commissioner’s Office is not straightforward and can be unclear without legal advice.  

Put simply, your organisation must report a data breach to the ICO when both of the following facts are true:

  1. you have discovered a personal data breach; and
  2. that data breach could likely result in a risk to people’s rights and freedoms.

If your company believes that someone has had unauthorised access to personal data, then the first test is likely to be satisfied.

However, the second test regarding risk to people’s rights and freedoms is more complicated in practice. Furthermore, without legal assistance, it can be difficult for your organisation to speculate how the ICO may classify this breach. If uncertain, you should err on the side of caution and refer the breach to the ICO.

3. Keeping Information Safe

In this increasingly digital age, the GDPR tasks organisations in England with keeping personal data safe and secure. Notably, some of the ICO’s most significant fines are to companies that fail to take adequate precautions against cyber attacks. Some business owners falsely believe that using antivirus software alone is sufficient to protect personal information. However, most businesses in England must also perform some of the following actions to increase their cyber security:

  • ensuring the use of strong passwords to safeguard accounts;
  • training employees regularly about cyber risks and how to safeguard against cyber-attacks (for example, teaching them to avoid clicking on suspicious links and to report any concerns);
  • installing all recommended software and operating system updates without delay (including antivirus software updates); and
  • ensuring your organisation regularly backs up data to guard against data loss.

Key Takeaways

Compliance with the GDPR may pose many challenges to businesses. It involves proactive and constant steps and cyber security monitoring. On the whole, data protection rules in England ensure you collect, handle and store data safely and without disclosure to unauthorised individuals or third parties. Some business owners obtain legal advice to guide them through GDPR compliance requirements. 

If your business is facing challenges complying with the GDPR and data protection law, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

Would employing a Data Protection Officer (DPO) help my business comply with the GDPR?

A Data Protection Officer can help your organisation handle SARs and other GDPR-related tasks and avoid unintentional data protection breaches. However, it is essential to note that, to be effective, a DPO should be given free rein to monitor the company’s data and make recommendations to improve cyber security.

Why does my company have to report a relevant personal data breach to the ICO?

You must report breaches as the ICO is the enforcing body that investigates data breaches under GDPR, whether due to unintentional failure to follow due process or further to a cyber attack. Likewise, the ICO can advise your business on follow-up actions. However, they may also issue a fine if they feel your organisation should have acted differently before the data breach.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

Three Common Myths About a Breach of Contract for Business Owners in England

Does My Business Need a Cybersecurity Policy?

Four Benefits of Your Company in England Having a Data Protection Officer

How Can My Company Protect Sensitive Information in England and Wales?

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards