Throughout December, we are sharing our top 10 data protection ‘Christmyths’.  These Christmyths highlight some of the common data protection misconceptions that we come across – but sprinkled with a dusting of festive humour.  With the help of Alison Jones, our eponymous and effervescent caricature DPO, we share these misconceptions with you, explain the reality behind them and present the best practice alternatives to consider.  Merry Christmas.


Cloud providers operate a ‘shared responsibility model’. Therefore, whilst the likes of AWS or Azure, or your cloud CRM provider will be responsible for the security of the physical platform, it is still your responsibility to ensure you use strong passwords, you disable unused user accounts and train your staff to not fall foul of malware, phishing and social engineering scams.


Anonymising data is a robust measure to protect personal data. However, it is more complicated than simply removing names. To truly anonymise data you must ensure that other identifiers cannot be used in order to ascertain the identity of the data subject. Examples include patient numbers, employee IDs and national insurance numbers etc that could be combined from other datasets therefore uniquely reidentify the individual.


Christmyth 3

Restricting access to systems and data using strong passwords that are difficult to guess is fundamental. However, how and where you store those passwords is equally important. Passwords should never be stored in plain text. Cloud-based password managers, such as LastPass, can store all your passwords in a secure, encrypted database that uses multi-factor authentication to ensure that only those authorised have access.


Phishing attacks are becoming not only more frequent, but also more sophisticated. Consider the fact that your colleagues’ names may be in the public domain, for example, on your company website, so be extra vigilant. If you are ever unsure, contact that person directly to verify that the email is legitimate before clicking any links or opening any attachments. You should be especially cautious where emails ask you to login to accounts, verify credentials or provide bank account details.


Using SaaS platforms will certainly help to keep your data secure and contribute to your overall compliance with data protection laws, such as the GDPR. However, their use alone does not mean your entire organisation is compliant with data protection laws. Ensuring you have a lawful basis for processing personal data, implementing retention policies, minimising data gathering, providing staff training, responding to individuals’ rights requests and performing vendor and supplier due diligence are also fundamental to your organisation’s ability to demonstrate compliance and to be accountable for the personal data you process.


It may not always be obvious that your website collects personal data, but most websites do. Website platforms such as WordPress and tools such as Google Analytics, capture visitors’ personal data within ‘cookies’ and log files. Therefore, in order to comply with the Privacy and Electronic Communication Regulation (PECR) that sits alongside the GDPR, your website will need user consent before allowing certain types of Cookies, and you will also need to describe the purpose of each cookie in a cookies statement. To find out what cookies your site uses, use an online tool such as


Just because processing personal data in a particular way serves your organisation’s interests, it does not always mean that you can justifiably rely on ‘legitimate interest’ as your lawful basis for that processing. You must first complete a Legitimate Interests Assessment (LIA) that balances your company’s legitimate commercial interests against the impact it may have on employees’ interests, rights and freedoms. If you cannot demonstrate a balance between the two, then legitimate interest would not be an appropriate lawful basis upon which to rely.


Storing data on a removeable drive or USB stick may seem like a simple and inexpensive solution, but in practice it is not a suitable method for storing and protecting business data – especially sensitive ‘special category’ data as is likely to be found in an HR system. USB sticks can be easily lost or stolen, which presents significant data protection risks, and they can become easily corrupted. If you must store backups on any kind of removeable media, make sure the data is encrypted and password protected. Better still, store backups in the Cloud using encryption and multi-factor authentication. This way, the data can be securely accessed from multiple locations, but is likely to be better protected from loss and unauthorised access.


In addition to the commercial terms between you, contracts between controllers and processors exchanging personal data need to contain (or have addended) additional terms relating to how the personal data exchanged will be processed. They outline the responsibilities of each party so that the data controller retains control over the processing and both sides can be held accountable for their actions (or non-action). These clauses ensure that (amongst other things) your processors understand the safeguards they must have in place, breach notification responsibilities, supporting responses to individuals’ rights requests and what should happen to personal data when you stop working together. This way, each side is fully aware of what they need to do and where their liabilities sit if things go wrong.


Just because personal data is in the public domain does not necessarily mean that you can harvest it and repurpose it to fit your organisation’s own requirements. Platforms like LinkedIn have terms that outline how the personal data processed on their site can and can’t be used. Even if your organisation does get its data from the public domain, you are still required to demonstrate your own lawful basis for processing under the GDPR, and under other laws such as PECR if you are using data for email marketing.