Posted on

Business Centre Break-In and Data Protection

Padlock | Cybercrime Legal Services

Business Centre Break-In and Data Protection

If your business experienced computer theft, would the data you hold be safe?

The recent break in at Chichester Enterprise Centre is, sadly, one of many that happen daily across the UK. But this is more than an unfortunate inconvenience for the businesses based in the building. The implications can be astronomical. When computers are stolen data is immediately put at risk. Following the new General Data Protection Regulation (GDPR) legislation that came into force in the UK in May 2018, businesses and organisations, big and small, have an obligation to keep data safe.

Your obligations under GDPR

The introduction of GDPR saw the most important change in data protection law in 20 years. With it came new obligations and duties which organisations of all sizes are required follow to keep data safe. So, what do you need to do if your business ‘computers get stolen? How safe is the data stored on them? Is your business covered by cyber insurance?

Unfortunately, a staggering 60% of small to medium-sized businesses who experience a Cyber attack following a data breach. are forced to liquidate within 6 months of being Attacked!

The good news… this is preventable!

Would your business be covered if you suffered data theft?

If your business stores personal data such as names, email addresses, addresses, medical data or banking information, you need cyber liability insurance.

If your business relies on computers, communicates using electronic methods or has a website, you need cyber liability insurance.

If your business collects payments using a merchant card facility, you need cyber liability insurance.

Without this insurance, you could find your business facing both financial and reputational consequences.

A final word on GDPR and small businesses

GDPR legislation affects every business in some way. You might think your business is too small and is therefore immune to the new law, but you may be surprised. If your organisation has a website – and let’s face it, most do – you have legal obligations! You must display the correct legal documentation on your site for visitors to access and understand. Failure to do this could result in your business breaking the law, and ultimately receiving a fine or other punishment. It is far better to be prepared and to limit your liability in the first place.

Speedy action by Chichester Police force has resulted in the arrest of those responsible. Our thoughts are with those affected by the recent break-in at Chichester Enterprise Centre.  If we can be assistance in anyway please contact Owen Costen Head of Compliance Services.



Posted on

Do we need a Data Protection Officer?

DPO Note | Cybercrime Legal Services

Do we need a Data Protection Officer?

In 2018 we saw one of the biggest updates to data protection law in years, the General Data Protection Regulation (GDPR). With it came new obligations and duties which organisations of all sizes must follow.

One prominent update was the introduction of a duty to appoint a Data Protection Officer (DPO) if a company fulfils certain criteria.

Who is legally required to appoint a DPO?

Under new data protection law, a company or business must appoint a DPO if:

  1. They are a public authority/body as defined within Section 7 of the Data Protection Act 2018;
  2. Their primary activities (those being, the processing of personal data needed to achieve the key objectives of the company) require large scale, regular and systematic monitoring of individuals (such as online behaviour tracking); or
  3. Their primary activities require large scale processing of special categories or data, or data which related to criminal offence and convictions.

What is ‘large scale’? Whilst the law doesn’t define exact figures, it states a business must, when determining whether the process is on a ‘large scale’, consider:

  • The number of data subjects concerned;
  • The volume of personal data which will be processed;
  • The geographical reach of the activity;
  • The duration of the activity; and
  • The range of different items of data being processed.

Even if a business does not fulfil these criteria and does not legally need to appoint a DPO, it must ensure it is sufficiently staffed and resourced, with the applicable knowledge on hand, to fulfil its obligations under GDPR and other relevant data protection law. Since a DPO can monitor a business’s compliance and provide advice and support in fulfilling compliance, it is best practise to appoint a DPO even if not legally required to.

If a business voluntarily decides to appoint a DPO, they must abide by the same standards as a business legally required to appoint a DPO. If a business decides not to appoint a DPO, this decision and the reasoning behind it should be documented to demonstrate compliance.

What is a DPO?

A DPO will assist the company to monitor internal compliance with data protection legislation and guidance, and most importantly to inform and advise on the company’s obligations. A DPO will also provide any data subjects (a person for which the company holds personal information about) with a point of contact for any requests or concerns.

Their role will include organising staff training, raising awareness within the company of data protection issues, conducting internal audits, reviewing data protection policies and cooperating with the supervisory bodies.

Who can be a DPO?

A business can appoint an existing employee to be their DPO, or they can appoint someone externally. They must however, be completely independent with sufficient expertise in data protection and provided with adequate resources.

A DPO must be appointed based upon their professional qualities, particularly their experience and expertise in data protection law. Whilst the exact credentials expected of a DPO are not laid out by GDPR, a DPO is expected to have proportional experience and expertise to the level of protection the personal data will require. For example, if the personal data and processing of it is particularly risky or complex, the DPO’s knowledge should be appropriately advanced.

A DPO can have other roles within a company or businesses too, but they must not pose a conflict of interest with the DPO’s primary tasks and responsibilities. As DPO they must report to the highest management level at the company.

For small businesses or charities without the resources or knowledge in house to fulfil the requirements of a DPO, an external service is a useful solution to comply with GDPR. We provide an affordable service to enable all businesses and charities small to large with an expert and professional DPO. Read more here or get in touch for our packages and quotations.

Does a business have to follow the advice of their DPO?

A business does not have to always follow the advice of their DPO, however the decision and the reasons for making it must be documented to demonstrate accountability and compliance.

The DPO is not personally liable for data protection compliance, the company as the controller or processor remains liable to comply with relevant law.

Do the DPO’s details need to be published?

Data protection law requires a business to publish the contact details of their DPO and to provide them to the ICO. Details can be registered here.

Need more guidance?

Get in touch with our experts by contacting us at or , and we will be happy to help.