Data Protection Risk

Gannons provide solutions around how organisations can protect themselves against a breach of the data protection regulations.

The role of data protection officer (“DPO”) is compulsory for many organisations and is increasingly required by investors as a condition of investment in smaller businesses as well.

A DPO has many responsibilities, including preventing data protection breaches, dealing with complaints about data protection breaches and payment of fines. Being the data protection officer is far from a badge – it carries increased risks for that individual. In practical terms, the data protection officer will be first in the firing line if things go wrong.

Risks for Data Protection Officers

Before taking on the responsibility for data protection it is prudent to acknowledge the risk that you could be the fall guy and negotiate a long notice period. A long notice period improves your chances if you are fired of a decent settlement agreement. Another

The data protection regulation rules are framed so that several persons can be responsible for the same breach if they were involved in the process. In practice this means that it is not just the data protection officer but senior management and directors.

A regime of self reporting applies. The data protection officer and processors will need to inform the ICO within 72 hours of becoming aware of the data breach.

The data protection officer should report to the highest management level – i.e. the board. The board of directors are not excluded from liability by the appointment of a data protection officer and have a delegated responsibility to oversee.

In particular, directors and senior management will be held liable where a data offence is committed by the company and it is shown that the directors or senior management were negligent. This is a criminal offence.

Where the business is managed by shareholders, they will be held to account as if they were directors. The message is clear – if you take on the responsibility of running the company, whatever your job title, you also take on the responsibility for its data protection and security.

How to handle a subject access request

Employees have enhanced rights to find out what personal data is held about them by their employer, why it is held and who the information is disclosed to.

With over 42% of data protection complaints lodged with the ICO relating to subject access requests, employers need to know how to handle them. We provide a short summary of the employer’s duties in response to a subject access request.

  • You must respond to a request ‘without undue delay and within one month of receipt of the request’. In more complex circumstances this may be extended by up to two months – you must explain the extension to the employee.
  • You may ask the employee to specify the information or processing activities to which the request relates, where you process a large quantity of information about the employee.
  • You do not need to disclose employment references given in confidence. All information within the reference is protected but comments made about a reference received from a third party are not. Care should be taken over how this information is recorded and communicated.
  • You do not need to disclose data processed for the purposes of management planning related to business activities, where to disclose it would prejudice the conduct of a business. This would include information such as staff redundancy programmes, which would prejudice the employees if disclosed in advance.
  • You may charge the employee administrative costs for ‘manifestly excessive or unfounded’ requests. It is not enough that the effort to search thousands of emails would be disproportionate. There should be significant technical difficulties in recovering the information before a request could be considered manifestly excessive.
  • You may refuse to respond to unwarranted requests. If you refuse to respond to the request you must explain why and inform the employee of their right to complain to the supervisory authority.

Failure to meet the deadline or provide employees with access to all requested data could expose the employer to fines.

If you are involved in data protection, data theft or data breach and are unsure as to your responsibilities or the solution to a problem such as how much to disclose in response to a subject access request please call us on 0207 438 1060.

Alex Kennedy

After studying at Cambridge University, Alex spent 5 years with an international law firm before joining Gannons. He specialises in high-value and complex commercial disputes and employment law.

Let us take it from here

Call us on 020 7438 1060 or complete the form and one of our team will be in touch.