GDPR: what the regulator expects from you

  • 08 Dec 2020

By Julian Hayes, partner at BCL Solicitors LLP

British Airways, Marriott International, Experian, Ticketmaster – a roll call of well-known companies recently hit with swingeing GDPR fines for lax data security. While the sights of the UK’s information watchdog, the ICO, have been trained on corporate giants, SMEs would be mistaken if they believe regulatory scrutiny does not apply to them.

Though media attention has focused on the ‘big scalps’ falling foul of data security obligations, the consequences are the same whether those involved are multinational conglomerates or sole traders: customers exposed to risk, reputational damage, potential administrative penalties and even compensation claims. The following advice will help you stay on the right side of the law:


Understand your responsibilities

Aimed at ensuring proper care is taken of personal data (whether in electronic form or paper filing systems), the integrity and confidentiality principle requires businesses to provide appropriate security for such data, including against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organisational measures.

What the regulator envisages is a risk-based approach to data security, but given the threat of heavy financial penalties for those who fail to measure up, just how are SMEs to go about meeting what can seem a maddeningly vague obligation?

Analyse your data processing

Importantly, there is no ‘right’ or one-size-fits-all answer. Instead, companies are expected to systematically and comprehensively analyse their personal data processing to identify and minimise potential risks. The ICO offers practical assistance – a template Data Protection Impact Assessment which guides users through the process and towards measures to reduce the risk of data breaches.

When considering the “appropriateness” of technical and organisational measures to mitigate such risk, the ICO’s website offers useful pointers. As regards technical measures, SMEs should consider obvious physical measures – access doors, locks and security cameras – and cybersecurity measures for their IT networks and the personal data they hold.


Emphasis is placed on encrypting personal data, regular back-ups to ensure access in the event of a data incident, and periodic security checks. The CyberEssentials scheme offers additional jargon-free advice on possible cybersecurity steps. As for organisational measures, consider staff data protection training, clear desk policies, locking away paper-based data, and adopting a secure password policy.

How to react to a security breach

A security breach – an event  compromising the integrity, availability or security of personal data – can take many forms, including emailing confidential customer information to the wrong person, leaving customer correspondence on public transport, the theft or loss of an electronic device containing client data, equipment failure and hacking attacks.

Security breaches are almost inevitable and, when they occur, the practical and regulatory obligations on data controllers are the same whether they are a sole trader or a large company.

Stemming the breach, ascertaining what data has been lost and identifying the individual data subjects affected are key steps to assessing whether notification obligations arise. Keep a log of your decisions as the process unfolds.

Reporting breaches

Breaches which are unlikely to jeopardise the “rights and freedoms” of the data subjects need not be reported to the ICO but this is not always a straightforward determination and professional advice may be necessary; making the wrong judgment call can result in hefty ICO penalties.


The regulator offers a handy online tool to help determine whether reporting is necessary. Where a report is required, it should be made to the ICO within 72 hours of becoming aware of the breach, not from when the breach happened. If a security breach poses a high risk to data subjects (for example where financial details are exposed), the individuals concerned should normally be notified without undue delay so that they may take action to protect themselves.

Remain vigilant

The GDPR raised the profile of data protection generally, pushing the issue up the boardroom agenda and planting it firmly in the public consciousness. Even as the Brexit transition period draws to a close, the importance of data protection is unlikely to subside, with the UK GDPR – carrying identical rights and responsibilities – waiting on the statute book. Human error, technical failure and cybercrime will continue, requiring companies large and small to remain vigilant in the protection of personal data and to know how to react when security breaches occur.


Related topics