With the benefit of hindsight, there is usually action that a trust could have taken to prevent a breach, or at least lessen its impact.
In particular, we've noticed that most trusts could do more regarding:
Under the GDPR, it is not enough to simply comply, you must also be able to demonstrate how you are complying through documentation. We've noticed that whilst most trusts have some policies in place, many lack all of the required documentation (eg a record of processing activities, records of consents) to show compliance. We are aware of Freedom of Information Act requests being made for certain data protection documentation.
It's not really a surprise that trusts have received a large number of subject access requests (SARs) since the GDPR came into effect. What was less expected is the number of people complaining about other aspects of data protection, for example, about academy trusts sharing their personal data with another organisations.
Trusts with procedures in place to deal with the exercise of rights (eg SARs) are in a much stronger position when up against the ticking clock of the statutory deadline. In addition, seeking legal advice at an early stage is helpful because there are often strategic considerations which should not be left until the last minute.
Trusts understandably have focused on the compliance around their core activities. However, there are data protection considerations in relation to connected organisations, such as trading subsidiaries, and PTAs.
For example, if a connected entity is a separate data controller, they will have to pay the data protection fee to the ICO unless they are exempt. Farrow and Ball recently lost their appeal against the ICO's £4,000 fine for failure to pay the fee on time.
We have also developed a Data Protection Manual containing key documents and policies for data protection compliance, including all of those which are explicitly required by the GDPR and the Data Protection Act 2018. Please contact us in the usual way if you would like to find out more.