top of page

Bad trends: 3 Critical Mistakes Businesses Are Making with Data Protection

Data protection is a vital component of your business reputation, your financial wellbeing, and your ability to function as a legitimate organisation.

Despite that, businesses are still making critical and basic mistakes with the way they approach data security. Here are three, all-too-common errors...

1. The password-in-a-separate-email blunder

This is the practice of sending an email containing a password protected file and following it up with another email, this one containing the password.

Safe? No! Whilst it does help a little, if a hacker breaks into your comms or your emails get leaked, both the file and the password are quickly taken. As an example, think of ordering a safe box and shipping the keys along with it… similar principle. This may be deemed as low effort by the authorities when other options are available out there.

The right approach is to use two separate channels for protected files and passwords. Those channels could be SMS, authenticators, phone call or normal mail. The key point is that this two-factor-authentication process is far more secure than using just one channel.

2. The too-casual choice of consent.

Too many businesses use ‘consent’ as their go-to legal basis for collecting personal details. Why is that a mistake? Because consent is not a one-size fits all solution. It’s there to be used – predominantly – when you can offer people real choice and control over how you use their data. Sometimes that's just not possible.


· Must be given freely

· Can be withdrawn at any time.

Here’s an example where consent is not the appropriate legal basis for collecting information:

Imagine that you process your employees’ payroll information based on consent. If an employee withdraws their consent, how will you keep your records for the tax authorities?

In instances like this, you need to use other legal bases to collect the information you require.

3. The legitimate interest fudge

Data protection laws require businesses to have a legally sound reason to handle someone’s personal information. One of the grounds for doing this is asking for consent to use their data in order to fulfil a stated purpose. Another is claiming legitimate interest: here, the business is making an assessment that there is a valid reason for this data usage.

Both consent and legitimate interest are legal bases for processing data. However, a new practice is cropping up that is definitely at the murky end of acceptable behaviour: websites are creating two requests to gather data, one flagged up as consent and one flagged as legitimate interest. The data requested is usually the same in both instances.

Why is this questionable? You don’t ask for legitimate interest, you either have it or you don’t – it’s an assessment, not a question to the user. And... someone already objecting to give consent automatically means they have no legitimate interest for that data collection practice anyway. You should not use legitimate interest if you are using personal data in ways people do not understand and would not reasonably expect, or if you think they would object if you explained it to them.

This practice hasn’t been declared unacceptable in any jurisdiction yet, nonetheless, it has all the hallmarks of a behaviour with which the law will – eventually – catch up.

Cross-border employers. Do you want advice about data protection?

At PEO Legal, we provide legal and compliance advice for professional employer organisations and staffing companies around the world. If you want advice about data protection, or any other point of cross-border employment law, contact us, today:


bottom of page