Data Protection – what have you done about it?

Roll back the clock 12 months and everywhere you looked there were articles and advice on GDPR which was about to be introduced (on 25 May 2018).  Nearly 12 months on and it seems to have dropped off the radar screen.  But do not be fooled – it has not gone away, far from it.

What should you have done?

In short, any business holding personal data on their employees or customers has to have a structure in place relating to that data which complies with the GDPR rules, so by now, you should know the answers to these questions:

  • What data do you keep? (electronic or hard copy)
  • Where is it stored (one central server, individual laptops, in the cloud, in a filing cupboard)?
  • Is that data compliant with the rules?
  • Do you have permission to keep the information from the persons on the list?

And presumably, you have a designated data compliance officer?  And notified the ICO?

Do your staff know the rules too – have they been adequately trained?

Even if you can answer the above questions satisfactorily do your staff understand the rules, the obligations and your policies and procedures?  In other words, have you trained them about:

  • Laptop security
  • Use of personal devices on your network
  • Secure use of USB sticks
  • Closing filing cabinets at night if they contain client records
  • Action to take in the event of a data breach e.g. loss of unencrypted devices or mobile phones that have been synchronised to the office network
  • Ensuring emails from clients are actually from that client and not a very similar email address
  • Especially where unexpected attachments are involved

Most common data breaches

Since the introduction of GDPR up to the end of 2018, UK organisations reported 10,900 data breaches.  Serious stuff even for smaller firms who could be looking at fines of the greater of 10m Euros or 2% of turnover. 

And remember, you have just 72 hours to report a breach to the Information Commissioners Office or that’s another offence clocked up.

The definition of a “breach” is very wide.  It includes both physical and electronic incidents leading to the accidental (or unlawful) loss, destruction or unauthorised access of personal data.  Early research indicates that just over half of all breaches are via a malicious outsider but around one third were caused by the accidental loss of a device.  Malicious action by insiders account for most of the other incidents.

The most common element present - just like motor accidents – is human error.

-       Carelessness in losing a device.

-       Opening an unknown email containing a malicious link

-       Responding to a phishing enquiry

-       Placing data on unencrypted devices or failing to password protect data

-       Failure to change passwords or using ones that are easy to crack/guess

-       Giving everyone in the organisation “access all areas”

How well trained are your staff to minimise these risks?


Will this make a difference (assuming it happens?).  This short answer is “no” because the UK’s 2018 Data Protection Act has effectively copied the EU generated GDPR into UK law.

What will happen if I haven’t yet done anything about GDPR?

Sooner or later you will suffer a data breach.  The staff weren’t trained and one of them inadvertently allows a dodgy email to wreak havoc in your systems.

You now have 72 hours to self-report to the ICO.  If you don’t, an aggrieved customer or employee will.

At this point, the ICO will investigate the circumstances and are on record as saying they work in a collaborative way with the businesses that have shown awareness, take reasonable measures and trained their staff – but still suffer a breach.

Those that haven’t engaged with GDPR are looking at 10m Euros in fines or a penalty of 2% of turnover.

Your choice.