Tips for family businesses – lessons learned from recent enforcements

The ICO has wide powers of enforcement including much publicised fining powers, but they also have plenty of other enforcement tools; from the ability to put a stop to all processing to reprimands.  The ICO publish quarterly lessons learned and looking back over the last few months, here are our three key lessons for family businesses based upon recent cases.

1. Top Tip. Avoid data breaches by having data policies in place and training staff.

In the first financial quarter five organisations were reprimanded for disclosing information inappropriately, including some NHS, Police and Ministry of Justice organisations. Some of these issues are issues that we see from time to time with clients.  For example in Subject Access Request information not redacting a document properly.  Other issues can be failure to securely destroy documents and displaying personal information on an electronic screen by mistake.  Where there were data breaches the ICO found that the organisations often didn’t have appropriate processes and policies in place or adequate staff training.  They recommend that all organisations should review their data protection policies, procedures and guidance including how to detect or report a personal data breach.  Secondly they should provide adequate training for staff, and thirdly ensure that there are proper measures in place regarding security and confidentiality.

2. Second Tip.  Respond to subject Access Requests on time. 

Clients are often asked to devote valuable resources to Subject Access Requests (SARs) within the relatively short statutory period of one month.  Two organisations were reprimanded for failing to respond within the statutory timeframe.  A SAR includes the right not only to have a copy of the personal information, but the right to ask where this information was obtained from, what it was being used for and who it has been shared with.  The ICO have recently updated their guidance on SARs and if it is a while since you have had a look at the SAR guidance it’s worth reading the updated guidance.

3. Third Tip. Think Data Protection

The final lesson learned from the last quarter was what the ICO call “dopting a data protection by design and default approach”.  In other words, thinking about data protection as an integral part of any new process.  Sussex Police and Surrey Police were reprimanded for rolling out an App that recorded phone conversations and unlawfully captured personal information.  Any new App, product or service that uses personal information should engage your data protection compliance personnel at the outset.

Staying compliant with data protection regulations is not just a legal obligation; it’s a crucial aspect of maintaining trust with your customers and safeguarding your family-run business. The recent enforcements by the ICO have provided us with valuable lessons, and by implementing the three tips outlined in this blog, you can ensure that your business not only meets the necessary standards but also thrives in an era where data privacy is paramount.

At Lupton Fawcett, we understand the unique challenges faced by family-run businesses when it comes to data protection. We specialise in providing tailored legal services to protect your business and its legacy. To learn more about how we can assist you in navigating the complexities of data compliance and safeguarding your family business, visit our dedicated page.



Sign up for our newsletter

Please fill in the form below to receive legal updates and seminar invitations from our expert solicitors – straight to your inbox.


By signing up, you agree to our terms and that you have read our privacy policy.