Unit 5. Practical exercises

Business Scenario 1 – 72 hours Breach Notification

Due to a data leak, a national logistics company discovered that some of the personal data of 150,000 different customers in its customer portfolio had been compromised. Name, mobile phone number, and delivery address are among these personal information. In that instance, GDPR demands that businesses inform affected parties or specific regulatory authorities of a breach within 72 hours.

The company’s data entry officer or responsible employee must be provided with a completed and submitted form for data breach notification. However, a lawyer should also be consulted to determine what information requires advance notice. The company’s ability to effectively manage the process within itself may also be facilitated by the existence of a data breach response plan that the company develops internally in preparation for such an incident. 

Business Scenario 2 – Financial Reporting

It is commonly known that the accounting department of a business is the most significant unit responsible for making financial decisions. As a result, it is essential that this department’s information be kept confidential and can be accessible only to authorized individuals. In this case, let’s say that the accounting department has a folder, known as “Performance Monitoring Folder”.  This folder contains related information about employees in different departments of the company, like monthly salary, monthly extra bonuses based on performance, analysis and evaluation of future salary results, etc.

If the company has effective log management, log entries can also be saved to instantly monitor who has logged into the folder and their transactions. For instance, system administrators may be notified due to logging when an accounting department employee changes or deletes information in this folder without permission.

At this point, the administrator can also easily ascertain who is logged in. Both the current GDPR and applicable standards necessitate log management to prevent information leakage and business breaches.

Business Scenario 3 – Need for GDPR

Institutions are considered responsible for GDPR if they offer goods or services to people in the European Union who are in control of personal data or keep track of how these people behave. In the GDPR’s text, the term “monitoring behavior” refers to technological methods of determining consumer preferences and habits by monitoring people’s Internet activities. Although it does business outside of the EU, it is realized that GDPR will apply to businesses that sell to EU customers.

To put it succinctly, if your small or medium-sized business processes personal data, it must abide by the GDPR. Nevertheless, if the processing of personal data is not a central part of your SMEs and its primary operation does not pose risks for people, then some responsibilities of the GDPR will not be applicable to you (e.g., the appointment of a data protection officer (‘DPO’).

Case Study – Solving data protection challenges in company accounting practice

Company Profile

A growing independent accounting firm with approximately 100 employees and four locations across two counties. Through acquisitions, the company has increased in size and expertise over the past few years, necessitating the addition of new procedures and the integration of existing IT infrastructure.

Accountancy Practice:


The company regularly collects, processes, and stores sensitive client data (such as personal pensions, etc.) because it specializes in accounting, tax, and business consulting. They must always know exactly what data they store and where it is stored to protect any sensitive data from getting lost.

The company had evaluated its data protection in accordance with the Cyber Essentials program in addition to the GDPR, and it was looking to further enhance its security in accordance with the CIS standard.

During the COVID-19 pandemic, the working from home initiative made it urgently necessary to provide employees with applications out-of-office applications to ensure that work and paid time off can continue.

Using older, more industry-specific applications that can be accessed via remote desktop presents extra security problems for IT teams compared to cloud-based applications that are designed with security in mind.


An evaluation of the company’s cyber security is required. This should be done by assessing the company’s appetite for cyber risk and its current security posture. Companies then need to establish reports and take action to ensure cyber resilience.