Access controls: Protecting your systems and data Is your data properly protected? Do existing staff or former employees have access to personal data they shouldn’t have access to? Keeping your business’ IT estate and personal data safe and secure is vital. One of the key ways to achieve this is by having robust access controls. Failure to make sure you have appropriate measures and controls to protect your network and the personal data on it could lead to a data breach. This could have very serious consequences for your customers and staff, and the business’ reputation and finances. How things can go wrong Recently a former management trainee at a car rental company was found guilty and fined for illegally obtaining customer records. Accessing this data fell outside his role at the time. In 2023 a former 111 call centre advisor was found guilty and fined for illegally accessing the medical records of a child and his family. In 2022 a former staff advisor for an NHS Foundation was recently found guilty of accessing patient records without a valid reason. Anecdotally, we know of cases of former employees being found to be using their previous employer’s personal data once they have moved onto a new role. The ability to access and either deliberately or accidentally misuse data is a common risk for all organisations. Add to this the risk of more employees and contractors working remotely, and it’s clear we need to take control of who has access to what. High-level check list 1. Apply the ‘Principle of Least Privilege’ There’s a useful security principle, known as ‘the principle of least privilege’ (PoLP). This sets a rule that employees should have only the minimum access rights needed to perform their job functions. Think of it in the same way as the ‘minimisation’ principle within GDPR. You grant the minimum access necessary for each user to meet the specific set of tasks their role requires, with the specific datasets they need. By adopting this principle, you can prevent the risk of employees gaining more access rights over time. You’ll need to periodically check to make sure they still need the existing access rights they have. For example, when someone changes role, their access needs may also change. If your access controls haven’t been reviewed for a long time, adopting PoLP can give you great start point to tighten up security. 2. Identity and Access Management IAM is a broad term for the policy, processes and technology you use to administer employee access to your IT resources. IAM technology can join it all up – a single place where your business users can be authenticated when they sign into the network and be granted specific access to the selected IT resources, datasets and functions they need for their role. One IAM example you may have heard of is Microsoft’s Active Directory. 3. Role-based access Your business might have several departments and various levels of responsibility within them. Most employees won’t need access to all areas. Many businesses adopt a framework in which employees can be identified by their job role and level, so they can be given access rights which meets the needs of the type of job they do. 4. Security layers Striking the right balance between usability and security is not easy. It’s important to consider the sensitivity of different data and the risks if that data was breached. You can take a proportionate approach to setting your security controls. For example personal data, financial data, special category or other sensitive personal data, commercially sensitive data (and so on) will need a greater level of security than most other data. Technologies can help you apply proportionate levels of security. Implementing security technologies at the appropriate levels can give greater protection to certain systems & data which demand a high level of security (i.e. strictly-controlled access), while allowing non-confidential or non-sensitive information to be accessed quickly by a wider audience. 5. Using biometrics How do you access your laptop or phone? Many of us use our fingerprint or facial recognition which give a high level of security, using our own biometrics data. But some say, for all their convenience benefits, they are not as secure as a complex password! But then, how many of us really use complex passwords? Perhaps you use an app to generate and store complex passwords for you. Sadly lots of people use words, names or memorable dates within their passwords. Security is only going to be as good as your weakest link. 6. Multi-factor authentication (MFA) Multi-factor authentication has become a business standard in many situations, to prevent fraudulent use of stolen passwords or PINs. But do make sure it’s set up effectively. I’ve seen some examples where MFA has to be activated by the user themselves. So if they fail to activate it, there’s little point having it. I’ve heard about data breaches happening following ineffective implementation of MFA, so do be vigilant. There are an array of measures which can be adopted. This is just a taster, which I hope you found useful – stay safe and secure!
Data Protection Complaints: NEW requirements A ‘must do’ for ALL organisations By June 2026 organisations be legally required to have a procedure in place to handle data protection complaints. This was one of the few new obligations ushered in by the Data (Use and Access) Act 2025. Final guidance from the ICO is expected this Winter, following a consultation which has now closed. This consultation document gave us some useful pointers on the steps to take. The aim of this change is to give anyone who is unhappy with how your organisation has handled their personal information a clear method for raising a complaint. For example, they could have a complaint about; a data breach which affected them your response to their Data Subject Access Request how long you’re keeping their data how you’ve profiled them or any other data protection relation matter I’m sure some of you reading this will have received a letter from the ICO in the past asking for a complaint they’ve received to be resolved by you directly with the individual. Essentially this approach is changing. Moving forward, in the majority of cases when the ICO receives a complaint, the individual will be asked to go through your complaints procedure first. A little warning. If you don’t have a clear procedure in place for data protection related complaints, the ICO may spot this pretty quickly should you come up on their radar. What the law says Organisations are legally required to fulfil the following: Procedure – give people a way of raising data protection complaints Acknowledgement – acknowledge each complaint within 30 days of receipt Action and progress – take appropriate steps to respond without undue delay, including making any relevant enquiries and keeping complainants up to date on progress Outcome – provide an outcome without undue delay How people can raise a complaint People must have a way of being able to raise a complaint directly with you. While the law doesn’t set out precisely how this must be done, the ICO gives some examples of different ways this could be achieved: Complaints form – for people to submit their complaint either electronically or in writing Telephone – allow people to make a complaint over the phone Portal – provide an online complaints portal Live chat – use a live chat function with the option to escalate to a human if needed In person – provide a way to make complaints in person if you don’t have an online presence Published complaints procedure Many organisations particularly those in the public sector will already have a complaints procedure which could be adapted for this purpose. For those which don’t, the ICO expects you to write one and publish your procedure on your website, or provide it to people at the earliest opportunity. This would be expected to cover: How people can make data protection complaints What people can expect from your process (e.g. acknowledgement within 30 days, kept informed of progress, and provided with an outcome without undue delay) In our opinion it would seem fitting to add the key points of your complaints procedure to your external privacy notice, and replicate this in any other relevant audience specific privacy notices. Asking for more information If evidence or additional information is needed, such as reference numbers or proof of ID, this should be asked for at the earliest opportunity. It would be helpful to mention this in your published procedure, for example ‘we may need to ask for proof of ID’. Complaints made on someone’s behalf As with privacy rights requests, an individual may make a complaint on someone else’s behalf. You’ll therefore need to make sure they are authorised to do so, for example by seeking power of attorney or a signed letter of authority. The ICO is clear if you have no evidence a third party is authorised to act on someone’s behalf you aren’t required to investigate a complaint, but should respond explaining this. The 5 step data protection complaints process 1. Acknowledge The law doesn’t prescribe how an acknowledgement should be provided but the ICO gives the following examples: Verbal complaints – Keep a record and follow up in writing (e.g. by email or post) Email / live chat – an automated response could be used Letters – acknowledgement by post The 30 days in which you must acknowledge a complaint starts the day after you receive the complaint, regardless of whether you received this on a weekend or bank holiday. If the last day to acknowledge falls on a weekend or bank holiday you have until the next working day. The ICO says you must have arrangements in place to acknowledge and continue handling complaints, regardless of whether key people are off sick or if your organisation is closed. An important point for organisations such as schools or colleges which may close for a period of time. 2. Investigate You must investigate the complaint without undue delay. If it’s not clear what the complaint is about, you should ask for more detail as quickly as possible. It may also be useful to ask people to let you now the outcome they’re seeking, and if you choose to use a complaints form, this point could be built-in. You’ll need to gather the information necessary to respond to the complaint and the ICO tells us this might include taking actions such as; Looking at relevant facts thoroughly, fairly and accurately Speaking to relevant staff Comparing information you hold with the information from the complainant Checking you’ve upheld your own terms, policies and standards 3. Update on progress There’s a duty to keep people updated on the progress of your investigation. If it’s likely an investigation is going to take some time, you’ll need to tell them you’re working to resolve the issue. You can always provide them with a date for when you expect to complete your investigation, and give them a point of contact if they have any questions. 4. Provide outcome Once the investigation is completed you must provide an outcome to the complainant without undue delay. The ICO says this means ‘as soon as possible’, and would expect your response to include the following: A clear explanation of what you’ve done to resolve their complaint Any actions you’ve taken (where appropriate) Enough information to help the individual understand how you’ve reached your conclusion If the individual is not satisfied with your outcome, you should tell them they have the right to complaint to the ICO, and it would be good practise to provide them with the regulator’s contact details. If they then tell you they’re planning to complain to the ICO you don’t have to get in touch with the regulator yourself. The ICO will come to you if they need more information. Crucially you must be able to justify why you handled a complaint in the way you did. Which neatly brings us on to… 5. Record keeping It will be necessary to keep evidence of your approach to each complaint you receive and the ICO recommends keep a record of the following: the date you received the data protection complaint your acknowledgement any relevant conversations and documents the outcome of the complaint any actions you took as a result of your investigation You may be asked to provide this evidence to the ICO, or other industry bodies. In all of this don’t forget data retention, it would be a good idea to agree how long you’ll keep records of complaints. Key steps to take now We’d recommend taking the following actions: Collaborate with relevant colleagues and agree your approach Assign responsibility for investigating and reviewing complaints Publish your complaints procedure (prior to June 2026) Start raising awareness and adapt relevant training so staff know how to recognise a data protection complaint and know what to do if they receive one. For more information see the draft ICO Complaints Guidance