for you and your business

Nowhere to hide - GDPR & Personal Data.

In the first of a series of Guest Blogs, Suzanne Lurie, a Director of Affinity Resolutions, talks about the latest from the Information Commissioner’s Office on GDPR.

Affinity Resolutions specialise in GDPR – in both setting up policies & procedures and training.

Nowhere to hide

In the last few weeks the Information Commissioners Office (ICO) has broadened its focus and sent a wake-up call to all organisations and businesses which handle personal data.

What happened?

The ICO were alerted by a Regulator that a small health company was storing personal data without adequate security. The data subjects themselves were unaware of this and no data was lost or destroyed or seen by a third party.

What did the ICO do?

As part of their investigation, the ICO requested the company’s:

  • Privacy notice,
  • Data retention policy,
  • Destruction policy,
  • A description of the technical and organisational measures which the company had in place to ensure security of personal data.

At the conclusion of the investigation, the ICO issued a penalty notice which imposed an administrative fine of £275,000 to be paid in one month.

What were the ICO’s findings?

1. Whilst there were some policies in place, implementation of the policies and staff awareness was poor, and the company did not implement appropriate technical and organisational measures

2. The documentation contained sensitive data which should have been “treated with the utmost care” and the company demonstrated a “highly culpable degree of negligence” and a “cavalier attitude”.

Why is this important?

The penalty notice and fine have been imposed due to the company’s failure to comply with GDPR and to “implement appropriate organisational measures to ensure appropriate security of the personal data it processes”. The data subjects themselves were unaware and seemingly no data was lost or destroyed or seen by a third party. This decision by the ICO demonstrates that it will impose penalties and fines where an organisation does not have appropriate policies and procedures in place and where a company cannot demonstrate implementation, staff awareness and compliance.

The future risk

An organisation either does not have the appropriate policies and procedures in place or does have the policies and procedures but has not implemented them and the ICO is contacted by:

  • An employee
  • A patient/customer/client
  • A third party
  • A Regulator following a routine inspection

The first time an organisation will know they are being investigated is when the letter arrives from the ICO.

What can you do?

  1. Check that your organisation or business has up to date policies and procedures and these have been implemented across the organisation.
  2. Ensure all staff are trained at least annually
  3. Review whether your policies and procedures are being followed and update documentation when necessary.

Website by Branded by Jones / Built by The Web Orchard.

CBSL Chartered Accountants

Rowan House North | 1, The Professional Quarter
Shrewsbury Business Park | Shrewsbury | Shropshire | SY2 6LG

Telephone: 01743 249992 | E-mail: enquiries@cbslgroup.com

Copyright CBSL Accountants 2021. Privacy Notice

Registered in England & Wales no. 6013643 | VAT 902183554