GDPR Fines & Storing Data On Spreadsheets – Are You at Risk?

  • In April 2018 a fine was issued against London’s Royal Borough of Kensington & Chelsea.
  • The London council was found to be in breach of Data Protection compliance requirements, after accidentally revealing personally identifiable information in a spreadsheet released during a freedom of information request
  • Storing data in spreadsheets may result in businesses becoming targets for GDPR fines

Are Excel Spreadsheets a Potential GDPR Compliance Problem?

If you are reading this, it is likely that you have at least one excel spreadsheet hiding somewhere in your marketing or business organization arsenal. From lists of supplier details to full-blown marketing databases, Microsoft Excel spreadsheets are the organizational bedrock of businesses. However, did you know that using spreadsheets can lead to GDPR fines?

Blog Images

How Spreadsheets Threaten GDPR Compliance

New data protection regulations imposed by the EU, recently sent businesses scrambling to ensure that websites and communications strategies are GDPR compliant. However, some companies may have overlooked a critical compliance issue.

London’s Royal Borough of Kensington & Chelsea was fined by the UK’s Information Commissioner’s Office, for non-compliance with the Data Protection Act(the incident occurred prior to GDPR being implemented). Moreover, the £120,000 fine in question was levied after the London council released a Microsoft Excel file to a member of the public, which contained the personally identifiable information of 943 Kensington and Chelsea residents. 

Excel Spreadsheets & GDPR Access Control Issues

In the case of the Royal Borough of Kensington & Chelsea fine, the London council operated a fully compliant website. However, the council was found lacking in how they managed data held in a back-end, presumably offline database.

Like millions of businesses, the Royal Borough of Kensington & Chelsea, stores thousands of mission-critical records in spreadsheet format. During an Information Commissioner’s Office investigation, it was found that documents requested as part of a freedom of information request, were provided to a member of the public as is. (i.e. Personally identifiable information contained on spreadsheets, was not redacted before records were released.)

Blog Images (1)

Could Your Business be at Risk of Similar GDPR Fines?

In the case of the Royal Borough of Kensington and Chelsea, the London council was negligent in providing a non-redacted spreadsheet to a member of the public. However, GDPR data breaches don’t just happen as a result of negligence.

  • Similar GDPR fines can be imposed when databases holding similar records are hacked
  • GDPR fines are applicable wherever internal controls aren’t in place to restrict who has access to certain types of data

Given the above, there is a strong argument to be made that storing personally identifiable information in spreadsheets is inherently high-risk.

  • Spreadsheets held in non-encrypted databases without strict access and sharing controls are a potential GDPR liability
  • Even when stored offline, customer contact information, communication records, payroll details, and supplier details, need to be stored GDPR compliantly
  • Ideally, personally identifiable information in any business database needs to be anonymized, encrypted and subject to strict access controls

How Lead Labs Can Help

In light of the fine made against the Royal Borough of Kensington and Chelsea, UK and EU businesses may want to rethink how they manage internal databases. There is good news, though. This being that for SME’s who process personally identifiable information, LeadLabs can make doing so altogether easy.

LeadLabs knows how high-risk using spreadsheets to store information can be. All-in-one LeadLabs GDPR compliance tools, therefore encrypt and store data compliantly out of the box. To find out more, click here.


We promise. No spam.