As part of their ongoing work the Information Commissioner’s Office (ICO) have the power to issue reprimands in relation to key legislation. Such reprimands are issued to give clear guidance and set expectations about the need to be compliant with such legislation, including the UK GDPR.
The ICO has recently published an article highlighting some of the key learning points that can be taken from the most recent reprimands issued, whether organisations have their own internal data protection officer or they rely on external bespoke data protection services from other providers.
The three key learning points identified are:
1. Avoid inappropriate disclosure of personal information by having policies in place and training your staff.
The ICO reprimanded five organisations between April and June 2023 for the inappropriate disclosure of people’s information. The reasons for the reprimand varied, from not suitably redacting a document to not having adequate staff training in place. The ICO recommends that organisations should review all data protection policies, procedures and guidance, provide adequate training for staff and ensure there are appropriate technical and organisational measures in place to ensure security and confidentiality,
2. Respond to information access requests on time.
Two local authorities were reprimanded between April and June 2023 for failing to respond to Subject Access Requests (SARs) within the statutory timeframe. The ICO states organisations must respond to a SAR within one month of receipt of request, or up to two months if the request is complex.
3. Implement a data protection by design and default approach.
Two further organisations, this time in the emergency services, were reprimanded for unlawfully capturing personal information after introducing an app that recorded phone conversations. The ICO states the lessons can be learned for all organisations to ensure that any development or deployment of any app should always take a data protection by design and default approach, considering the method and means of data processing and acting to ensure the processing is compliant with legislation prior to launching the service.
Whilst these organisations are not the first and certainly won’t be the last to fall foul of data protection law, it is important for all organisations to take note and develop their internal and external practices to ensure continued compliance. In some cases, this may mean reaching out for more assistance to avoid similar scenarios.
How can we help?
The team at BLS are expert consultants offering a full range of bespoke data protection services and UK GDPR support. We offer a range of services to ensure compliance with data protection legislation, at whatever scale your organisation may require it.
If your organisation requires further training to be compliant, our expert team run open courses, bookable via our website.
Whilst the ICO recently highlghted the importance of training staff in SAR and Redaction, data protection training is imperative for any role – if staff are appropriately trained, any organisation is well on the way to compliance with data protection legislation. Training needs will vary according to size and type of organisation and BLS can conduct a training needs analysis on your behalf if required.
Our open courses are available to any member of any organisation. Each course runs online several times throughout the year and may be the answer to your data protection gap.
Alternatively, we can hold a bespoke course to fit you and ensure that all members of staff who have connection to the data you use, store and manage are appropriately trained at a time and place convenient to you. This is often useful for groups of organisations who may find it more beneficial to train their teams together.
See the links below to find out more on our training offerings, or to book an open course online.
- Caldicott Guardian (CG)
- Advanced Caldicott Guardian (CG)
- Senior Information Risk Owner (SIRO)
- Advanced Senior Information Risk Owner (SIRO)
- Data Protection Officer (DPO)
- Subject Access Request and Redaction (SAR)
- Data Protection Impact Assessment (DPIA)
- Information Asset Owner (IAO)
- Safer Recruitment
- Board briefings and senior management training (bespoke only)
Data Security Protection Toolkit (DSPT) audit and assistance
The DSPT is a self-reporting tool that all organisations with access to NHS data must complete.
At BLS Stay Compliant, we have years of experience in completing the DSPT and can guide your submission, provide a pre-submission audit and check your content follows the required framework.
Data Breach Management
No organisation is immune to a data breach and the consequences – and subsequent workload – can be extensive. BLS Stay Compliant are well versed in handling data breach incidents and can also help ensure measures are put in place to prevent future breaches.
If your organisation has suffered a data breach it is absolutely vital that you do not delay management.
Subject Access Request Management
Dealing with subject access requests can be a time-consuming and labour intensive task and is also time sensitive under data protection legislation, as highlighted by the ICO in the above article.
BLS Stay Compliant can guide your organisation in responding to a SAR and can aid in setting up adequate practices should you receive one, including how to recognise a valid SAR.
The Information Commissioner’s Office (ICO) has the power to – and regularly does as shown – audit any organisation to test data protection compliance. Our experts can conduct a thorough audit of your GDPR compliance and physical security, providing recommendations where necessary.
Policy writing and reviews
Many organisations are not aware of what policies are required to ensure they are compliant with data protection legislation, or if they are in place, when they were last updated.
Our policy writing and review service offers peace of mind that your policies are not only up to date, but you have a full suite in place for your requirements.
Our expertise, on call, whenever you need it.
Our popular managed service offering is a 360 degree approach to your data protection – covering all of the above and more within a package that suits your budget and other resources.
We can act as your data protection officer, or other data protection related roles as required, or can simply act in the guidance position for any level of staff.
If we can offer any assistance with any of information, or other services as required, do get in touch via the form below.