In today’s regulatory environment, compliance should never be just a tick-box exercise. Organisations must move beyond theoretical frameworks and ensure operational readiness when faced with real-world challenges. Weightmans’ recent Lunch and Learn session, led by Thomas Barrett, explored this critical issue, and Slido poll results from the event give some indication as to how widespread gaps in preparedness are.
The compliance illusion: paper versus practice
The compliance industry often pushes checklists and document reviews as the core and primary activity that businesses should undertake to ensure they are prepared. Many businesses believe that documented policies and external certification or approval of particular documents or schemes equals preparedness. In reality, compliance on paper often collapses under operational pressure. When the ICO or a data subject comes knocking, organisations need to be sure that their staff and systems are resilient in practice, not just paper, through tested processes, not just templates.
Audience insight:
- 39% of respondents said they could only produce less than 50% of the key compliance items specified in the online question within 30 minutes..
- When asked about document accuracy and review, 55% said fewer than half of their documents had been updated in the last 12 months.
- Practical preparedness is very different to the traditional paper approach to compliance. Organisations may look or have a false sense of security as to their compliance but lack operational resilience.
DSARs: the avalanche waiting to happen
Data Subject Access Requests (DSARs) remain the most powerful individual right under GDPR and potentially across all UK law. Despite being underused, their complexity and frequency are increasing. The session stressed
- Zero-day planning: Prepare before requests arrive, with clear triage processes to be implemented and a proactive approach to data retention and hygiene generally.
- Scope and scale: DSARs can expose weaknesses in data mapping and governance. Organisations are regularly shocked to find just how far apart their expectations and the reality is as to how much data they hold as regards any particular individual. By the time a DSAR lands it is too late. To prevent the avalanche, organisations need to stop the “snow” building up in the first place.
- Testing exposure: Regular simulations and dip tests help identify vulnerabilities and assess the level of exposure.
Audience insight:
- 70% of respondents admitted they do not know the scale of data likely to be involved in an average DSAR, highlighting a major operational blind spot.
- Only 37% had completed a full name test search, a basic readiness check.
ICO powers: what’s at stake
The ICO’s enforcement toolkit is extensive and evolving:
- Information notices (s.142): Mandatory disclosure of records
- Assessment notices (s.146): Spot checks on compliance
- Warrants of entry: Physical inspections under Schedule 15
- Interview notices (coming soon): Direct questioning of key personnel
Organisations must maintain readiness through (amongst other things):
- Accurate ROPA (Art.30) records
- Up-to-date privacy notices and DPIAs
- Clear retention policies and processor contracts
- Documented lawful bases for processing
Audience insight:
- 65% have not onboarded all external partners that are needed to deliver some DSARs or wider processing activity. With tight deadlines for requests from either the data subject or the ICO there isn’t likely to be any time to spare to onboard and sign contracts. Organisations need to have all essential partners fully onboarded or face the likelihood that they will breach deadlines even before the work has begun because of the lead in time needed.
Being ‘data fit’: a cultural shift
Compliance is not a static achievement but a dynamic capability. Like training for peak physical performance, organisations must embed privacy into their operational DNA. This means:
- Regular policy reviews and audits
- Staff training on data rights and breach protocols
- Integration of privacy considerations into digital transformation initiatives
- Focusing on practical measures, processes and outcomes more than on particular achievements or certifications
The bottom line
Organisations that invest in readiness through robust governance, tested processes, and continuous cultural alignment, will not only improve compliance, likely avoiding penalties, and building trust and competitive advantage. Being prepared for the worst may be the difference between your organisation suffering a manageable data incident rather than a full-scale disaster.
CyXcel, a Weightmans business, offers tailored solutions across every stage of your digital journey, from urgent breach response and dispute resolution to long-term operational resilience and transformation. Whether you require an ICO investigation simulation, DPO support services, legal expertise more generally, or support in building your cyber resilience, we’re here to help you stay compliant and secure.
Get in touch with Weightmans today to discuss how CyXcel can support your organisation’s data protection strategy.
