It has been over two years since the General Data Protection Regulation (GDPR) came into force for EU countries, and the UK put it on the domestic statute book with the Data Protection Act 2018. At the time of implementation GDPR was a high-profile topic and organisations across the country were frantically reviewing and changing processes to ensure compliance with the new Act. Two years on it seems that some organisations have side-lined Data Protection as a priority which creates the risk of a Data Protection Act breach and potential fines from the ICO.

Many of the fines issued by the ICO are a result of poor marketing practice such as CRDNN who were fined £500,000 for making automated 'nuisance calls' and CPS Advisory Ltd which was fined £130,000 for making more than 100,000 unauthorised direct marketing calls. Other fines are due to bad internal procedures and probably a lack of training and knowledge. Hudson Bay Finance were fined for failing to respond to a subject access data request, Life at Parliament View received an £80,000 fine for leaving customers data exposed for nearly two years and Bounty UK shared personal data unlawfully and were fined £400,000. True Vision Productions filmed at a maternity clinic which resulted in a £120,000 fine and Doorstep Dispensaree Ltd were fined £275,000 for leaving personal data files in unlocked containers at the back of its premises in Edgware. With the correct training and procedures all these fines could have been avoided.

In an ideal world Data Protection should be an integral part of an organisation's culture, built into each and every process especially at times of great change caused by external factors such as a pandemic. Changes in how organisations deliver services and 'track and trace' are just two Covid related changes which create data protection considerations.

And, then we have Brexit looming!

It's good practice to review your data protection policies and procedures on a regular basis and here are a few reasons why:

• to ensure staff working at home are protecting the company's personal data;
• to consider the impact of Brexit on international data transfers;
• to avoid fines, bad publicity, and the destruction of customer trust;
• to allow you to be able to produce an up-to-date data processing schedule showing how your organisation processes personal data, should you be asked;
• your policies must help you be able to notify the ICO within 72 hours of becoming aware you have had a breach;
• up to date and accurate policies help your staff avoid issues in the first place, which can then lead to data protection breaches and fines;
• your data subject access request policy must help staff identify and respond to any data subject access request;
• identify data you should not be collecting, or which should be disposed of;
• ensure your data security and data processing systems are appropriate;
• many businesses, particularly large ones, require their supply chains to be fully legally compliant with all manner of legal and corporate social responsibility matters like data protection and Modern Slavery

If you are in need of help and guidance with Data Protection matters JPP Law can help. For start-ups or small companies who need to get Data Protection Act compliant we offer fixed fee document packages. For larger companies that fear they may have recently undergone significant changes or have let Data Protection 'slip' we can provide a data protection audit.

For more information call +44 (0)20 3468 3064 or email our Client Services Director Juliette.Pip@jpplaw.co.uk who can organise a free consultation with a member of our legal team. We use the consultation to learn more about your business and your requirements and we will follow up with a written quotation for services.