Data protection is now an integral part of the way that we all do business – or should be. Although legislation about data protection has been on the statute books since 1984, the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 which came into force in May 2018 have brought a new focus on the subject.
The headlines have been all about the fines that the Information Commissioner can now levy and it is true that there have been a number of high profile cases and significant penalties. The cost of non-compliance with data protection law goes further than the risk of a fine. The time needed to deal with a data breach or the exercise of an individual’s rights under GDPR legislation is significant. It is greatly increased if a business has not thought ahead and created the policies and procedures and invested in the training so that all staff know what to do.
All data controllers are required to maintain a record of the data that they collect, the purposes for which it is used, to whom it may be sent and how long it is kept. The starting point is a data audit. An organisation needs to know what information it is collecting, where it is stored and how it may be used.
A data controller must implement appropriate technical and organisational measures to protect data. The protection of data is not simply a matter of cyber security to be left to a business’s IT department. It covers all aspects of the business from the control of access to the premises to the disposal of confidential waste.
Our solicitors can conduct a data audit with you to identify the areas of your business in which data protection needs to be improved and produce an action plan to improve compliance. It is key to understanding what information you collect and why and the legal basis for what you are doing.
Data policies and procedures
A business should adopt an overall statement of its approach to data protection and individual procedures to implement the policy:
- What information do you give new customers and contacts? The information must be both legally correct and user friendly.
- What information do you collect about users of your website and how do you tell them about it?
- How do you recognise a request by an individual to exercise their rights under the legislation?
- What are good working practices to reduce the risk of a data breach?
- What do you do if there is a data breach?
LA’s specialist data protection lawyers can help you to write your policies and procedures and provide training for your employees through seminars or talks or by the provision of training materials
Privacy notices, subject access requests and other rights
Anyone about whom you hold personal data (“a data subject”) has rights set out in the data protection legislation.
- You must tell a data subject about the information that you are collecting about them or if you receive information about them from someone else by giving them. The information is specified in the legislation and it is normally contained in a Privacy Notice.
- A data subject can ask you for details of the personal data that you hold about them and for a copy of it.
- A data subject can ask for information to be rectified or erased.
- A data subject has the right to require the processing of personal data to be restricted.
- A data subject has the right to request that all the data subject’s personal data is sent to another data controller.
- A data subject can, in some circumstances object to the use of the data.
A data controller is required to respond to any exercise of the data rights within 30 days although an extension is possible where there are complex or multiple requests. In some cases, there are exemptions from providing the information that is requested and care must be taken in the release of personal data about a third party.
Our lawyers can advise upon the response to the exercise of data subject rights – what information to release, whether an exemption applies and how to deal with third party information.
A data breach is almost inevitable, whether it is due to human error, an IT failure or a breach of cyber security. It is essential that there are procedures in place to deal with it and to assess the risks.
A data breach must be reported to the ICO within 72 hours unless it can be concluded that it is unlikely to give rise to a risk to the data subject. If it is likely to result in a high risk to the data subject, the data subjects must be informed with as much information as possible and advise about how the risks can be minimised.
Advice on reporting is available from the ICO’s website or on the ICO’s helpline 0303 123 1113.
Transferring data abroad
The UK has some of the strictest data protection laws in the world and particular care must be taken in sending data to another country.
Data may be transferred to another country within the EAA, although Brexit may change the position. The EU also publishes a list of approved countries in which the data protection legislation is considered to give an adequate level of protection.
If the transfer is to another country, you must identify and use another basis set out in the GDPR legalisation. It may require an agreement using the Model Contract Clauses published by the European Commission or seeking to rely on a derogation from the general rules.
Lester Aldridge can advise on these issues and draft the necessary documentation.
Business and company sales
Data protection poses particular problems in the due diligence process involved in the sale of a company or a business.
Much of the information requested by a buyer will include personal data such as lists of employees, customers, residents or clients. If there is no legal basis for the disclosure of the data under the data protection legislation, any information that will identify an individual must be redacted
The sale agreement should also include clauses to ensure that both parties will comply with the data protection legislation in the handover of the personal data – which can be quite complex, depending upon the way in which the deal is structured.
Lester Aldridge’s data protection solicitors have wide experience in dealing with these situations, both in the initial advice and in dealing with the documentation involved in the transaction.
How can I use data?
The data protection principles set out in the General Data Protection Regulation restrict the way which data can be used. In particular:
- It must be processed lawfully, fairly and in a transparent manner. There must be a legal basis for its use under Regulation and the data subject must be given the information required in a privacy notice.
- It must be collected for specified explicit and legitimate purposes and not use in a way that is incompatible with those purposes. The use of data can cause particular problems, particularly in the field of marketing where the requirements of the Privacy and Electronic Communications Regulations 2003 create a further layer of regulation.