The 12 Data Protection Mistakes of Christmas

As the festive season approaches, it is not just last-minute shopping and office parties that can catch organisations off guard; data protection slip-ups are just as common. From misdirected emails to outdated policies, these twelve data protection mistakes highlight the risks that can easily arise during a busy period. By understanding the most frequent pitfalls and how to avoid or fix them, organisations can remain compliant, protect personal data and enter the new year with confidence.

1.Sending emails to the wrong person

Sending an email to the wrong person is an easy and common mistake to make, especially when in a rush.  Care must be taken to ensure personal data does not end up in the wrong hands.

What to do if you have sent an email by mistake? Firstly, you must act quickly. Sometimes, it is possible to recall the email – this should be attempted as soon as possible. If unable to recall, it is usually sensible to send a follow up email to the unintended recipient, explaining and asking them to delete it.

The ICO acknowledges that Autofill could cause accuracy issues when sending emails, thus, they suggest considering whether the use of Autofill is necessary.  It is also important to consider training on the importance of double checking email addresses are correct before hitting send!

For more information on how to respond to a data breach see the ICO guidance on this: 72 hours – how to respond to a personal data breach | ICO

2. Unusual internet links and attachments

Unusual internet links and attachments are becoming increasingly common, so the question is how to deal with them? The ICO recommends having the necessary firewalls in place, efficient storage systems and most importantly, trained staff. Staff should be trained to spot suspicious emails and deal with them in accordance with an effective policy.

3. Holding personal data for longer than necessary

Personal data must not be kept for longer than is required. In addition, the more data that is held, the more onerous responding to data subject access requests can be and the more costly it becomes to store.

What should you do? It is always necessary to decipher if you need to keep the data you hold. Having an up-to-date retention policy will help to answer this question. Data should be sorted through on a regular basis and if you no longer need to keep it, it should be deleted securely.

4. Over-collecting personal data

Personal data should be limited only to what is necessary. Over-collecting and retaining personal data only enhances liability. To comply with a fundamental principle of data protection legislation, only adequate and relevant data should be collected.

5. Ignoring a Data Subject Access Request (DSAR)

Data subjects have the right to request personal data from data controllers. Ignoring these can have significant implications, including a hefty fine.

What should you do? Firstly, it is crucial to know how to spot a DSAR as requests are not always clear and can be made verbally, and not just in writing.  Staff should therefore be trained to recognise when a DSAR is being made. Secondly, organisations must have a clear DSAR policy which effectively outlines what these requests are and who requests should be sent to.  Additional guidance can then be provided to those dealing with these so they are aware of their legal obligations and how to respond to the request.  Thirdly, it is also a good idea for an organisation to designate a lead on data protection responsible for overseeing and ensuring compliance with data protection legislation.

6. Leaving data protection matters to IT

Data protection matters are not solely an IT issue and treating them as if they are, is a huge mistake. Although IT systems are vital to ensure personal data is correctly processed and managed, compliance with data protection legislation is a much wider matter and involves many departments within a business including management, finance, HR, legal, marketing and anyone else who processes personal data on behalf of the company.

7. Failure to document a lawful basis

Organisations must be able to document and demonstrate a lawful basis for processing personal data. Always determine (and document) the lawful basis before any processing of personal data commences.

This should also accord with the legal basis you notified individuals of in your privacy notice.

8. Poor data breach response

Data breaches can have serious consequences on organisations. Not only are the fines substantial, but trust and confidence in your business can diminish and reputational damage can be fundamental.

There are ways in which you can ensure your data breach response is compliant with regulations. Some ways to ensure compliance include dedicating an individual to oversee incidents, putting in place sufficient staff training on how to escalate data breaches, having an effective response plan and ensuring all facts regarding the breach are logged and documented.

For more information on breach response, see the ICO guidance on this: Breach response and monitoring | ICO

9. Outdated policies

Outdated policies will be ineffective and not fit for purpose. Failing to regularly review policies can lead to non-compliance. Amongst other things, policy framework should cover data protection, record management and a clear process which is understood by all staff. Policies should be endorsed by management who offer support to data subjects and employees alike.

10. Outdated privacy notices

Having outdated privacy notices waves a huge red flag to regulators. Not only this, but staff may feel a lack of trust and confidence in employers which can negatively impact business reputation. Organisations should, on a regular basis, review and update notices in line with evolving legislation, changing practices and ICO guidance.

11. Neglecting staff training

Many data breaches will stem from human error and so, regular training should be at the forefront of data compliance. Training programmes will help to ensure that employees are aware of and understand their data protection obligations. Employers should make inductions and refreshers widely available whilst monitoring data handling to reduce the risk of data breaches and potential penalties.

12. A blanket approach to compliance

All businesses are unique, and by taking a generic approach to data protection compliance, you could be making a huge mistake. Unfortunately, a blanket approach to compliance can fail to deal with business nuances which can in turn, create costly vulnerabilities.

Instead, a robust approach should be taken which integrates data protection into everything your organisation does. Data privacy and protection should be woven into all business systems and processes. This will help to ensure data protection compliance is engrained into your organisation from the very start.

If you require further assistance or have any questions regarding the above, please feel free to contact a member of our data protection team.