United Kingdom’s data protection authority ICO recently published main lessons learned from its reprimands. The past quarter (April to June 2023) saw a series of data breaches and failures, each offering a crucial lesson to learn.
First and foremost, ICO observed a common issue of inappropriate disclosure of personal information. Several organizations were found wanting in their data protection practices – a lack of policies and poor staff training being the primary culprits. To mitigate these risks, it’s critical to review all data management procedures, provide adequate training, and implement robust security measures especially when dealing with sensitive information.
Secondly, organizations must promptly respond to Subject Access Requests (SARs). We’ve noticed that some organizations, including Plymouth City Council and Norfolk County Council, failed to comply with the SARs’ statutory timeframe. Responding to SARs within one month is an obligation, not a choice. However, this could be extended by up to two months for complex cases.
Finally, a case involving Sussex Police and Surrey Police highlighted the need for a ‘data protection by design and default’ approach when developing new apps or services. This means that from the inception of an app or a service, data protection measures should be at the core of the design process. Staff should be well-trained and aware of these measures.
In conclusion, these reprimands serve not just as a warning, but as an opportunity for organizations to improve their data protection practices. It’s time to turn these lessons into actions, ensuring that people’s personal information is handled with the respect and care it deserves.