For companies of all sizes, data protection is a bigger concern today than ever before. With corporate and commercial activity increasingly being conducted online (especially since the start of the pandemic), it’s important for businesses to make sure their approach to safeguarding personal data continues to be sufficient.
The General Data Protection Regulation (GDPR) has been a feature of UK legislation since 2018, and its implementation has continued beyond Brexit to now exist as an independent British law (known as the UK GDPR).
But what do businesses and organisations need to know about GDPR? What are some common pitfalls? In today’s post, we will look at some of the most frequent GDPR missteps and explain some ways in which to address them.
Mistake: Not Updating Existing Data Protection Practices
The GDPR (via the UK Data Protection Act 2018) took over from the Data Protection Act 1998 when it was introduced – but many businesses whose data handling practices were in line with the old law may find they need to review their policies and procedures in light of modern legislation.
Technology and the challenges of data protection have changed enormously in the past 20 years and it should not be assumed that meeting the requirements of earlier, now-retired guidelines still guarantees compliance with the current rules.
For example, one new aspect of law introduced by GDPR was the concept of the right to erasure (or the ‘right to be forgotten’). Data controllers (i.e. those exercising overall control over the purposes and means of processing personal data) are now required to comply with any request from an individual who wishes to have their data removed from the system.
Data protection is a serious matter, and not just a box-ticking exercise – no business wants to come under fire from the Information Commissioner’s Office (ICO) for failing to handle personal data properly (and potentially receive a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements).
If in any doubt, an experienced corporate and commercial solicitor can help you review your data processing policies and advise where revisions may be needed.
Mistake: Not Establishing a Subject Access Request Policy
Under GDPR, any individual (whether a customer, employee, business contact or other) whose data is held by your organisation, is within their legal right to contact you at any time to ask for copies of all of the personal information you have on them (or to request its deletion). This is known as a Subject Access Request or Digital Subject Access Request (SAR or DSAR for short).
Many businesses imagine this will never happen to them, or underestimate how much work it can be to respond to this type of request. Yet when somebody does submit a SAR businesses can often find they have no plan in place to deal with it, and can fall into one of several common pitfalls that could have been avoided by having a clear policy defined ahead of time.
For example, one mistake sometimes made when responding to SARs is that proper care is not taken to redact the personal information of other individuals, whose data might accidentally be released in conjunction with that of the individual submitting the SAR.
By establishing a clear and robust policy for dealing with data requests (and ensuring that staff have the appropriate training to recognise and correctly respond to them) these types of mistakes may be avoided entirely.
Mistake: Not Considering Offline Data to be Covered by GDPR
Many organisations consider data protection to be an entirely digital issue, and leave GDPR matters to be dealt with by the I.T. team.
This is a common misconception. Data does not have to be stored digitally to be subject to data protection laws – which means that paper records, filing cabinets, memos and even post-it notes must also be handled responsibly.
While it is true that data stored offline is often safe from online data breaches and other cyber attacks, this does not mean that it is always GDPR-compliant (or that it falls outside of the scope of the legislation). This also applies to historic records collected at a time that predates GDPR.
Physical records must be stored just as safely and lawfully as digital material, and if an individual exercises their legal right to request erasure from a data controller, any offline data must be destroyed along with the electronic records.
Mistake: Focusing Only On Compliance For The General Public
Many companies who deal with customer data are quite careful about how this data is stored, used and maintained – as they should be. However, it must always be remembered that employee data is subject to GDPR, too.
Every individual has a right to safe processing of their data – and its erasure – whether they are a customer or part of your own team. This means that the same care must be taken when storing and using employee data as that of individuals from outside your organisation.
Mistake: Depending on Third Party Vendors to Take Care of GDPR
Some businesses may feel that all of their data protection obligations should be taken care of by service providers. For example, they may assume that because their I.T. provider is GDPR-compliant, the issue is taken care of and no further action is needed on their part.
However, this can be a major mistake as, for example, data protection problems could in many cases be easily caused by your own employees. All it takes is for one worker to accidentally forward a customer’s personal details onto somebody outside the organisation by CCing the wrong person into an email and a breach will have occurred that is reportable to the ICO.
The simple truth is that there is no substitute for proper staff training in data handling, along with expert legal advice to help you identify and correct any potential GDPR issues at your company.
Expert Legal Advice
GDPR compliance is not a one-time box-ticking exercise – it is an ongoing process of continued vigilance and policy review to ensure that sensitive personal information is being stored and accessed in line with the rules. With the ICO imposing an increasing number of fines against companies and individuals who fall short of the required standard, it is clear that data protection is too serious to ignore.
However, with well-crafted data handling policies, appropriate staff training and the support of an experienced solicitor, GDPR issues can be fully taken care of and allow you to focus fully on what your business does best.
This post was contributed by Girlings Solicitors. Based in Ashford, Canterbury, and Herne Bay, Kent, Girlings offers expert legal advice for businesses, individuals and charity organisations across a wide range of departments.