PRIVACY PERIL: Is your business compliant with data law?
25th June 2021
We have recently received many enquiries from clients about their legal responsibilities surrounding client data, data protection, and how they affect employment and litigation.
In October British Airways was fined £20 million by the UK’s data protection authority after a hacker accessed personal and payment card information relating to more than 400,000 of its customers.
The case highlights the dangers of failing to take your company’s data responsibilities seriously. It is far better – and cheaper – to invest in putting your data responsibilities in order before a breach.
Despite the risks, a number of businesses still don’t have GDPR policies and are not registered with the ICO (more on that later). The COVID-19 pandemic has seen many companies grow their online activity and increase the data they hold on their customers, and therefore increase their exposure to falling foul of the legislation.
While managers should always seek out tailored advice from a legal expert, here is a basic overview of the main issues from Samantha Wright:
What is personal data?
Put simply, personal data is data owned by the individual (who is known as the data subject). They effectively control who can have it and what is done with it purely by their consent
It is any data that can be used to identify a living person directly or in conjunction with other information. It doesn’t need to be ‘private’ information – even information that is public knowledge or is about someone’s professional life can be personal data.
What are the GDPR and ICO?
The General Data Protection Regulation 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.
The Information Commissioner’s Office (ICO) is the UK’s independent body set up to uphold information rights. It has the power to issue fines to companies for breaching data protection laws.
You need to comply if you collect or hold information about individuals for any reason.
What data responsibilities do you have?
All businesses must have an assigned data protection officer to ensure that the organisation processes the personal data of its staff, customers, providers or any other individuals in compliance with the applicable data protection rules.
The role can be filled as a full-time position or by an existing employee. Data issues will barely affect many businesses, but those with large databases of customer information should have preparations in place to more easily resolve a data breach by a hacker, for example.
In addition to the above, businesses must also register with the ICO and pay a data protection fee which is renewable annually.
Companies such as those selling online for the first time are likely to be vulnerable as they may have launched an online arm during COVID just to survive and have not put all their policies in place.
As soon as it is no longer necessary to hold the data or the individual withdraws their consent the data must be irreversibly deleted/destroyed.
What are the risks?
If a business is in breach of data protection laws, there is a potential fine which is a percentage of turnover, but the level of management time violations can take to resolve can be crippling.
Each company and sector is different so the risks and responsibilities of each must be approached on a case-by-case basis. However, here are some common issues:
Don’t assume that the only risks businesses face are from cybercriminals trying to break into their systems. Data is also vulnerable to accidental or unlawful destruction, loss, or disclosure.
The transfer of data to third parties in other countries is tightly regulated – some huge fines have been issued – and the issue has become particularly thorny because of Brexit. There is a UK GDPR policy and an EU one, and the UK transfer rules broadly mirror the EU GDPR rules. However, this situation may change and BTTJ has seen instances where the UK is starting to be looked at as a third-party country by companies dealing with data transfers from the EU to the UK.
Another factor to be borne in mind is that a lot of servers where people hold data are not always in the UK, so businesses could be inadvertently transferring data to other countries without proper measures in place.
What should you do?
Pay attention to your terms and conditions – they are critical to making sure you are fully compliant. Ensuring you have the active consent of customers and staff to use their data is always the best way to avoid any confusion.
Companies need to assess whether they hold data on behalf of customers and employees. As soon as you handle any personal data, you should be registered with the ICO.
Anonymise the data you collect where possible and don’t hold on to data for any longer than is necessary.
Have a policy setting out how what data is used for and how long it is held.
Review your data security measures and other procedures regularly to ensure your data is secured. And training is key to ensure staff are aware of the issues.
Assess whether you send data out of the country, there are requirements for the level of protection to be supplied for such data transfers.
And finally, if you are in any doubt about the issues above, consult a solicitor with extensive GDPR experience.