Home » News » GDPR


Toffees, a Burglary and the ICO

Late one Friday night, one of our client’s premises, whose business is making and supplying old fashioned sweets, was broken into. His CCTV cameras recorded a white van pulling up outside the front door to the office, 4 youths getting out of the van, cutting the metal shutters with angle grinders, removing the safe and driving off. All in under 7 minutes.

We were phoned early on Saturday morning as the safe did not contain sweet recipes or money, but the names, contact details and financial information of all our client’s customers. As their external DPO they needed urgent advice on this major data breach.

In this case, we advised reporting the breach to the Information Commissioners Office (ICO) and notifying all the customers who had been affected. A few weeks later, our clients received confirmation from the ICO that the breach had been investigated and no further action would be taken.

There is no magic formula as to why this was the outcome.

If we consider what happens behind the scenes at the ICO when a breach is reported:

  1. The ICO checks whether an organisation is registered with them. Failure to register brings the risk of a fine of up to £4,000.
  2. If an organisation is registered, whether they are registered on the correct tier. There is a simple Q & A which an organisation can complete to check this.
  3. Checks an organisation’s website to see if there is a Privacy Policy, and if so, if it is compliant, easy to understand and easy to find. We find that many organisations do not have a compliant Privacy Policy, having copied the Privacy Policy from somewhere else or combined several different ones and not fully understood what information should be included. We also come across cases where the Privacy Policy is difficult to follow and buried somewhere on a website
  4. If there has been a serious breach the ICO asks to see copies of an organisation’s policies and procedures.

In our client’s case, all documentation was in order, so the ICO concluded there was no need to investigate further.

The outcome could have been very different if our clients had not been GDPR compliant. The ICO would have likely levied a fine, posted the details on their website which could have caused reputational damage, imposed sanctions such as stopped the business from processing data and effectively bringing it to a standstill, and then the individuals whose information had been stolen could claim compensation.

The recipe is simple:

  1. Register with the ICO in the correct tier. Registration can be completed easily online.
  2. Make sure your Privacy Policy is up to date, not copied from someone else, bespoke for your organisation and easy to find and easy to understand.
  3. Have in place policies and procedures which follow data protection guidelines.
  4. Train all members of your organisation to ensure policies and procedures are followed.

Bernard and Suzanne of Affinity Resolutions can help with all your data protection queries.

Call us on Tel: 033 00 55 25 30 / Email: [email protected]

SEE OUR WEBSITE www.affinityresolutions.co.uk