In the first of a series of Guest Blogs, Suzanne Lurie, a Director of Affinity Resolutions, talks about the latest from the Information Commissioner’s Office on GDPR.
Affinity Resolutions specialise in GDPR – in both setting up policies & procedures and training.
In the last few weeks the Information Commissioners Office (ICO) has broadened its focus and sent a wake-up call to all organisations and businesses which handle personal data.
The ICO were alerted by a Regulator that a small health company was storing personal data without adequate security. The data subjects themselves were unaware of this and no data was lost or destroyed or seen by a third party.
As part of their investigation, the ICO requested the company’s:
At the conclusion of the investigation, the ICO issued a penalty notice which imposed an administrative fine of £275,000 to be paid in one month.
1. Whilst there were some policies in place, implementation of the policies and staff awareness was poor, and the company did not implement appropriate technical and organisational measures
2. The documentation contained sensitive data which should have been “treated with the utmost care” and the company demonstrated a “highly culpable degree of negligence” and a “cavalier attitude”.
The penalty notice and fine have been imposed due to the company’s failure to comply with GDPR and to “implement appropriate organisational measures to ensure appropriate security of the personal data it processes”. The data subjects themselves were unaware and seemingly no data was lost or destroyed or seen by a third party. This decision by the ICO demonstrates that it will impose penalties and fines where an organisation does not have appropriate policies and procedures in place and where a company cannot demonstrate implementation, staff awareness and compliance.
An organisation either does not have the appropriate policies and procedures in place or does have the policies and procedures but has not implemented them and the ICO is contacted by:
The first time an organisation will know they are being investigated is when the letter arrives from the ICO.
Website by Branded by Jones / Built by The Web Orchard.
CBSL Chartered Accountants
Rowan House North | 1, The Professional Quarter
Shrewsbury Business Park | Shrewsbury | Shropshire | SY2 6LG
Telephone: 01743 249992 | E-mail: enquiries@cbslgroup.com
Copyright CBSL Accountants 2021. Privacy Notice
Registered in England & Wales no. 6013643 | VAT 902183554