A number of subscribers have told us tales of woe concerning the GDPR.
Some have received data protection “subject access requests” and were unsure how best to respond. It can be not only time consuming but also difficult to respond, e.g. because you may have to redact information which is confidential or privileged. This requires thought and care, particularly when the person making the request already feels aggrieved and hostile.
Others have had a breach of data security. That can be as simple as an email with confidential information being sent to the wrong person. The big issue there is whom you need to tell. That may include (1) the ICO, (2) people whose personal data is affected, and (3) the client, if different.
We have sent subscribers guidance on both these issues. That includes checklists of what they need to do, and a precedent letter to send to a person making a subject access request.