Director’s Toolbox: GDPR and Data Protection
Getting to grips with what we actually have to do to comply with data protection laws can, however, be surprisingly complex.
Every business needs to use information about people – whether that be about our employees, customers or suppliers – but a principles and risk-based regime means there is no one size fits all approach to compliance.
Our laws are (mostly) found in the UK GDPR and the Data Protection Act 2018, with further rules regarding cookies and marketing found in the Privacy and Electronic Communications Regulations (PECR). Post-Brexit we have already seen, and will continue to see, legal change but key requirements are likely to remain constant.
So, in plain English, what are the key things to be aware of when it comes to data protection?
Principles of data law
Data laws are built around six core principles. These require you to:
- Use people’s information fairly, transparently and lawfully. So tell people how you are going to use their information and treat other peoples’ data as you would like them to treat yours. The UK GDPR includes a list of legally-recognised reasons for using personal information; take the time to familiarise yourself with it
- Make sure you have a clear reason for collecting peoples’ information and that you only use it for that reason
- Collect enough information but not too much
- Make sure information you hold is accurate and up to date
- Delete information you no longer need
- Keep it safe
You must be able to demonstrate how you comply with the law, so document everything. Record how personal information is used in the routine running of your business. Before you use personal information in a way that could impact privacy, do a risk assessment to decide if it is safe and fair for you to proceed. If something goes wrong, keep a paper trail showing what happened and what you did to fix it.
- Pay an annual fee to the ICO (unless you are exempt)
- Report data breaches (unless they carry no risk)
- Respond within one month to any rights requests e.g. subject access requests
- Include certain provisions in contracts where personal data is used in the course of providing or receiving services
- Comply with strict rules if you send, store, or allow access to, personal data outside of the UK
- Take extra precautions if you use certain types of sensitive information, information about children or criminal offences
- Obtain consent before sending certain marketing communications
- Obtain consent before using non-essential cookies on your website
Useful information can be found by visiting the ICO (www.ico.org.uk), where you will find detailed guidance, online compliance tools and self-assessment questionnaires.
The ICO is our data regulator and has extensive investigation and enforcement powers. Fines are reserved for the most serious cases but can be high (up to 4% of annual turnover). Orders to cease or suspend use of personal information can have particularly serious repercussions for businesses. Individuals also have the right to claim compensation if you misuse their personal information, with more firms now offering “no-win-no fee” representation and a growing number of class-action claims being brought; little wonder data protection is such a hot topic in the boardroom!
If you would like to discuss data protection or PECR in more detail, please contact Kitty Rosser, Legal Director – Data Protection at Birketts LLP T: 01603 756559 E: email@example.com or visit www.birketts.co.uk/our-lawyers/norwich/kitty-rosser
Alex: Footnote to go at the end of Kitty Rosser’s article saying: some detail within this article is taken directly from the ICO’s website .
Then boxed out / shaded panel for the following…
Five key practical considerations for data protection
by Lenitha Bishop, The DPO Centre
The GDPR regulations aim to give individuals more control over their personal data by granting them a number of rights and placing stringent obligations on organisations to ensure that they protect the personal data they process.
The DPO Centre (dpocentre.com) exists to reduce the burden of complying with data protection laws and to enable organisations to use compliance as a differentiator that increases organisational value. It supports organisations to establish and maintain robust privacy frameworks, and delivers the knowledge and experience required to understand the risks, improve trust and increase customer and stakeholder engagement.
Below, The DPO Centre lists five key considerations for every organisation when dealing with personal data.
Data subjects have the right to know about the processing of their personal data. It is essential, therefore, that organisations have a comprehensive Privacy Notice, which is easily accessible and clearly outlines information including what personal data they are processing, for what purposes, how long they are storing it for, and who they are sharing it with. Organisations have to be honest and clear with all data subjects, including customers, employees, job applicants and suppliers. By being transparent in the first instance, organisations can often avoid complaints.
2. Know your data
Before any organisation can put together a comprehensive data protection strategy, it is important to be clear about:
- What categories of personal data you process
- Why / for what purposes you process it
- Who has access to it
- How long it will be kept for
Data mapping helps organisations understand how they process personal data, enabling them to identify risks which can then be managed.
3. Less is more
The less personal data you store, the less you have to lose or be compromised in a data breach. Furthermore, storing only the minimum amount of personal data makes it far easier and less time-consuming to deal with Data Subject Access Requests (DSARs), with less information to retrieve, review, redact and disclose to data subjects. Organisations need to remember that they should not collect data on a ‘just in case’ basis and a retention policy and schedule is vital.
4. Individual rights
The UK GDPR grants data subjects a number of rights including the right of access, erasure, and rectification, to name but a few. It’s important to fully understand these rights and ensure that staff are sufficiently trained in how to recognise a request, as well as deal with them within the one calendar month timeframe.
5. Non-compliance impacts finances and reputation
Outside of financial fines, the biggest risk facing most companies is the reputational damage caused by non-compliance. Non-compliance damages trust, as data subjects no longer tolerate the misuse of their personal data. Therefore, complying with data protection requirements, and demonstrating this through the UK GDPR’s various accountability obligations, is essential for maintaining data subject trust, as well as avoiding fines.