Data Protection War Stories

Navigating privacy compliance can be hard. In this blog, DM Legal (data protection and privacy specialists) shares some war stories to illustrate how a DPO can protect and add value.

But first, let’s go back to basics and answer this simple question…

What is a Data Protection Officer, (DPO) and when do you need one?

A Data Protection Officer (DPO) is responsible for ensuring compliance with data protection regulations, offering guidance on obligations, and being your liaison with data subjects, regulators, etc.

You need a DPO when you process personal data on a large scale, if you conduct systematic monitoring of individuals, and/or if you handle sensitive data (as mandated by data protection laws, such as the GDPR).

Even if you don’t need one, appointing a DPO is often advisable, regardless of legal requirements, to help with your company’s data protection compliance and to mitigate risks associated with privacy breaches.

1. Is consent needed?

6pm on 24th May 2018, the day before the EU GDPR came into force. We’d been working with a large multinational for months to get them GDPR ready before the deadline and were their appointed DPO. They were ready, everything was fine… Then a phone call on speaker from the board:

“We see everyone is sending emails to ask for consent to marketing. We have an email ready and are about to hit send but want to double check with you.”

Frustrating as this was, because it had been addressed several times already, we confirmed it was not needed or advisable and why. Because if they did they were then prevented by law from sending marketing to anyone who had not opted in, which would result in a large percentage of the customer database becoming unusable overnight.

Lessons learnt for the board: Trust in the DPO. Upholding the DPO’s guidance demonstrates a commitment to ethical business practices, safeguarding against costly errors and maintaining integrity in data protection efforts.
Lessons learnt for the DPO: Keep your cool, explain your point of view, and do not cave in to panic.

2. Emails to the wrong person

At some point someone is going to send an email to the wrong person. It is a common error. And in general, recipients tend to be normal and either flag that it has happened or, at least, delete it when they are asked to.

But there are exceptions. For example, a company we worked with, where a senior director and a union representative shared the same name and HR kept sending the information about the former to the latter!

In another case, an invoice was sent to the wrong person and contained sensitive information about the correct recipient. The wrong recipient decided it was an opportunity to try and get some money out of the business. The board were rattled: Do they pay? Do they tell the regulator? Do they tell the affected individual? Will this be leaked to their competitors and damage the business?

In this case, careful management of the situation and diplomatic conversations between the DPO and the wrong recipient, the intended recipient, and the regulator were necessary. A review of security measures was also needed to ensure this wouldn’t happen again.

Lessons learnt for the board: It only takes one incident to be in a very high-risk situation, so design security measures to reduce the risk. Invest in good security and training. (Maybe even switch off email autofill.)
Lessons learnt for the DPO: Take measures that are proportionate and legitimate. Make sure you can justify them. And don’t bargain with someone acting in bad faith.

3. Data Subject Access Requests (DSAR) from ex-employees wanting to cause problems.

Exit negotiations with a difficult employee are coming to an end. Then you get the dreaded DSAR. They want all information you hold about them, not just personnel records, and they worked for you for over 10 years. They’ve asked for emails, messages, telephone, slack messages, etc.

A search using the individual’s first name, surname and nickname produced over 600,000 hits, before even looking at Slack. Even filtering the results gave thousands of documents and slack messages that would need to be manually processed. And the individual’s line manager was known for being ‘robust’ in his communications about staff. But in the end the DPO managed to negotiate a more limited search and response.

Lessons learnt for the board: Involve your DPO early so they can diffuse the situation, or at least minimise the impact.
Lessons for the DPO: Train line managers regularly to be cautious about what they write and say about staff. And make sure the business has a document / message retention policy, and sticks to it.

If you need help or want to discuss any of your data protection requirements, including whether you should have a DPO, please get in touch.

What do our clients think?

Our lawyer quickly understood our business needs and assisted us in a commercial and pragmatic way.
CFO - Sanctus
Having an experienced lawyer as your single point of contact to manage legal matters effectively whilst providing pragmatic solutions is exactly what you get from LegalEdge
Legal & Compliance Officer - Distributed
LegalEdge has provided invaluable support, and their customer service is second to none.
BD Director - Toca.io
LegalEdge’s practical approach to our day-to-day legal requirements has been second to none. I highly recommend their commercial contract support – it’s a game changer.
COO/CFO - Fluent Commerce
Our lawyers at LegalEdge have been fantastic partners to our company. They are pragmatic, responsive and personable.
Compliance Lead - Streetbees
We’re very pleased with the work LegalEdge are doing for us. We’re getting quick and decisive responses that are really helping us move forward.
FINANCE & OPERATIONS DIRECTOR - DEPOP
Our original MSA was very one-sided and not favourable to us, with LegalEdge’s help getting this agreement in place we have significantly reduced the risk to the agency.
Operations Director – Contracts and Commercial, - The Social Element
LegalEdge has provided unparalleled legal support to our EMEA business as our in-house lawyers to help us negotiate our software license contracts successfully and quickly.
VP & GM EMEA - Wherescape
The Intellectual Property audit provided by LegalEdge was extremely thorough. Securing our IP is enabling us to scale confident that our brand is protected under the law.
Founder - Arishi
It’s not an understatement that the new contracts gave us a lot of confidence in negotiating. It sets the right tone with our clients that we know what we are doing.
Operations Director - OneSixOne
I don’t always need the technicalities of a matter; LegalEdge provide pragmatic solutions that help us to close the deal.
Co-founder - Lexonis
LegalEdge has provided excellent, commercially focused advice as part of our in-house legal team that has helped us close contracts with our customers and partners.
CEO - Diona
The fact that all their lawyers have worked inside businesses means they are commercial, pragmatic and know exactly how to prioritise what’s important.
COO - Squirro
Having made the decision to outsource our legal work, we have been extremely impressed by how quickly LegalEdge have quickly understood our business.
Commercial Director - The Social Element
LegalEdge understood our needs more than any traditional law firm had before: we were able to dip in and dip out of their services, they acted like a general counsel for us.
Co-Founder - Young Foodies
We use LegalEdge for support on our contracts, and they do an excellent job!
Director - Haig Barrett Partners
LegalEdge are awesome at taking complex ideas and turning them into simple contracts whilst streamlining processes to make it easy to do business.
Founder - Lola Tech, a DataArt company
The LegalEdge team just intuitively understood our business and needs, picked up the matters that needed dealing with, and ran with them.
General counsel - The Engine Group
Working with a professional squad like LegalEdge on the legal stuff means, as CFOs, we can focus on what we’re good at – the numbers!
Founder - Emergeone
LegalEdge were brilliant from start to finish in helping us to develop a proper brand strategy and implementing it.
CEO - Placemake.io
LegalEdge have been fantastic advisers to our business. Between shareholder agreements & fundraise, Trademark & IP, and commercial agreements, we deeply value their guidance.
Co-Founder - Days Brewing
Having worked closely with LegalEdge I have no hesitation in recommending them to any business requiring smart, articulate and professional legal counsel.
Founder - Low Carbon Group
Working with LegalEdge has been a breath of fresh air! They have provided a unique, entrepreneurial approach to legal services within a rapidly growing organisation.
COO and Co-Founder - hybris GmbH (now a SAP company)
The support we have received has been first class – from day one. LegalEdge have gone above and beyond to truly understand our business.
Director EMEA Operations - Stella & Dot
The ideal solution for the busy in-house counsel who is unable to add a permanent head as you have the ability to flex support without the need to rely on expensive law firms.
Vice President and EMEA Managing Counsel - World-Check [now Thomson Reuters]
LegalEdge’s experience has proven invaluable as they have picked up, negotiated and completed contracts with commercial aptitude.
Group Counsel - Funding Circle
What sets LegalEdge apart is that they focus on problem solving and keeping issues in perspective. They know and understand our business and the array of legal issues we face.
Partner - Portal Tech Reply
As our trusted go to lawyers for complex contract queries and negotiations, LegalEdge know how to focus on the things that matter and to get deals done.
Commercial Director - Connect Managed
The Oxial team was very impressed with the quality of the contracts that the LegalEdge team produced for our business and with their responsive and collaborative approach.
COO - Hammer Team & Oxial

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_32854648_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

By LegalEdge News Apr 22, 2024

Data Protection War Stories

What is a Data Protection Officer, (DPO) and when do you need one?

1. Is consent needed?

2. Emails to the wrong person

3. Data Subject Access Requests (DSAR) from ex-employees wanting to cause problems.

What do our clients think?

Contact

Navigate Site

Stay In Touch