GDPR – be careful when processing personal data

The introduction of UK GDPR legislation in 2018 affected everyone – individuals, workers, private companies and public authorities.  In principle, it sounds straightforward – just be careful when processing personal data.  In reality, it’s far more complex – and the penalties can be severe.  Most of us have heard about the biggest breaches and the associated fines – Google (£43.2m), H&M (£32.1m), British Airways (£20m) to name but a few.

Breaches affecting fewer data subjects tend not to make the news headlines; however, 40% of incidents reported to the Information Commissioners Office (ICO) in Q2 2023 involved the personal data of fewer than 10 people – an increase of 14% over Q2 2022.  The stats are quite fascinating -for example, the highest incident type of 2023 so far is “data emailed to incorrect recipient” – and non-cyber attacks account for 69% of breaches reported to the ICO.  Other “human error” reasons include:

  • Unauthorised access
  • Data posted to incorrect recipient
  • Loss of paperwork
  • Failure to obscure or remove sensitive information
  • Failure to use bcc

Here are some helpful tips to avoid data breaches :

  • All devices should be password protected
  • Change passwords regularly
  • Don’t share passwords – but if it does happen, ensure that the password is changed immediately
  • Have a clear desk policy to help minimise the risk of sensitive information being left unattended
  • Keep paperwork/physical copies to a minimum – where possible, access electronic versions
  • Name documents clearly and consistently
  • Use blank template documents and store them separately to save overwriting previous documents
  • Review access controls – not everyone needs access to everything – where can you tighten access controls so that employees only have access to the personal data they need to carry out their role?
  • Use restrictive covenant clauses in your employment contracts to deter employees taking data with them when they leave or soliciting customers whose information they had access to while employed by you (if you need help with this, contact us at
  • Be careful not to talk about personal matters where you can be overheard
  • Dispose of confidential waste either by using a shredder or installing a confidential waste bin
  • Encourage employees to double check emails before sending – auto-predict is really helpful until you email your colleague Alex the monthly payroll that should have gone to Alex your payroll processor…

The ICO recommends that all companies have an all-employee data protection and information governance training programme which includes training of key areas of data protection such as handling requests, data sharing, information security, personal data breaches and records management.  The training programme should include induction (within one month of their start date) and refresher training for all employees.

If you don’t already have GDPR training in place, People Business can help.  We have created a package that includes GDPR eLearning in line with ICO requirements for all employees.  The eLearning is broken down into several modules and includes an assessment at the end of the training to test staff understanding and make sure that the training is effective.  A “GDPR cheat sheet” is provided upon successful completion of the training to help keep people focused on the key points of the GDPR.  We also have a face-to-face workshop which can be held after the eLearning to further check and embed employees’ knowledge.  If you’re interested in finding out more, email us at