In recent weeks M&S, Co-op and Harrods have made the headlines with data breaches. It’s a known fact that cyberattacks are increasing but a common misconception is that organisations will not be responsible for lost/stolen personal data arising from a breach. This insight explains how to be proactive with your data compliance and how our lawyers can help you.
1. Data protection compliance is not voluntary!
Compliance is mandatory for organisations that process personal data, as required by regulations like the UK GDPR. Organisations must adhere to these rules, and failure to do so can result in fines, complaints, litigation and other enforcement actions.
2. Cyberattacks are on the rise your business will be held to account for data breaches as a result
It has been reported that cybercriminals are utilising AI to improve the speed and impact of cyberattacks. A data subject has a right to privacy, and if they decide to share their data with your business, the onus is on you to keep it safe.
In its recent statement concerning a law firm’s cyberattack the ICO wrote, “We found DPP failed to put appropriate measures in place to ensure the security of personal information held electronically. This failure enabled cyber hackers to gain access to DPP’s network, via an infrequently used administrator account which lacked multi-factor authentication (MFA), and steal large volumes of data.”
Protecting personal data involves careful consideration of risk analysis, organisational policies, and physical and technical measures. Software, a form of technical measure, is just one ingredient in the mix. Everyone in an organisation responsible for using personal data (which includes storing it) has to follow strict rules, and lawyers play a crucial role in navigating the complex legal landscape surrounding personal data.
3. The costs and operational time dealing with a cyberattack are disproportionate to the costs of actioning compliance
It is difficult to estimate the costs of dealing with an incident, but we know that half of all UK businesses have experienced some form of cybersecurity breach. Research shows that in 2018, it cost small businesses about £25,700 in clean-up costs following a cyberattack, and these will have increased significantly since that date. IBM reported that 75% of the increase in average breach costs in their 2024 Data Breach Report study was due to “the cost of lost business and post-breach response activities. The lesson: investing in post-breach response preparedness can help dramatically lower breach costs.”
Understanding whether a data breach is reportable to the ICO and what to do next is vital training for your employees. Our specialist lawyers can provide an overview of the legal landscape and help you draft effective policies and procedures in the event that you suffer from a breach.
4. Your organisation’s use of AI may not be lawful, and you may face legal action
You may not even be aware that your employees are using it. Before processing personal data you are legally required to let the individuals know how you are processing their data and the legal basis for that. We see organisations inputting personal data into AI models without setting this out to individuals and giving them the choice to not use your services.
We can assist you with ensuring you are being transparent to customers about how your organisation is using AI, implementing clear policies and training your employees to understand how to use AI within the parameters of data protection law.
5. You can avoid the costs and stress of protracted data protection litigation
If you receive a letter of claim you are required, by the Courts, to respond within a certain timeframe and you could be penalised on costs for non-compliance with the Court rules. If you do not respond then the Claimant may bring proceedings against you without delay.
In England and Wales, it’s possible to bring a claim against another party where there is no cause of action. We frequently receive instructions where an organisation has received a letter of claim without/using the correct cause of action (grounds in law to sue). It’s a feature of our legal system that a Defendant will incur costs of dealing with a weak claim, and the general position is that you would only be able to recover a contribution towards your costs if the matter were to proceed to a final hearing. Most cases settle, but addressing data protection matters proactively will avoid the need to instruct lawyers to assess the risk of proceedings against you and respond to a letter of claim.
6. You can avoid a complaint to the Information Commissioner’s Office
The ICO is the UK’s largest independent body set up to uphold information rights. It has various enforcement powers. A complaint to the ICO can relate to any issue around personal data or required access to data.
You will usually be required to respond to an ICO complaint within 21 days but the information required is significant and it may take up a lot of time and resources to pull together. In the event that your responses is unsatisfactory, you may find yourself facing ICO enforcement action.
7. You can avoid enforcement action by the ICO
The ICO has various enforcement powers, including:
- Issuing an enforcement notice.
- Issuing a penalty notice.
- Exercising their inspection powers.
We have provided written representations to the ICO in respect of data breaches but the costs are significant and a proactive approach to compliance will help you avoid a protracted complaint with the ICO.
8. You can avoid reputational damage
ICO decisions are posted online. This may affect your customers, your ability to secure investment and to defend litigation.
How can Tozers assist you with data protection compliance?
We can help by providing advice and guidance. Our expert solicitors can discuss technical and organisational measures to mitigate or manage the risks when software and systems, draft bespoke data protection policies and compliance documents and provide training to staff. We assist a broad range of clients across various industries and have specialist lawyers assisting start ups, market leaders, charities and social enterprises, registered providers of social housing and holiday parks.
Why should I instruct Tozers for data protection matters?
As a top firm for client satisfaction, we have built a reputation as good listeners who can help break down complex legal jargon into words you can understand and are experts at advising on your organisation’s situation.
If you require advice, speak to one of our legal experts today in a no-obligation phone call.
