Data protection is incredibly complex for businesses and often requires detailed legal advice, especially with the General Data Protection Regulation (GDPR) now being in force and Brexit looming.
Here we’ve answered our clients’ most common questions in these data protection FAQS.
Jump to individual data protection FAQs:
- What is data protection and why does it matter?
- Why should your business comply with data protection legislation?
- What are the requirements on your business for data protection?
- Where can you get general advice on data protection for businesses? Are there data protection guidelines for businesses?
- When do you need a solicitor for specialised data protection legal advice?
- What is the law on data protection for businesses? How does the GDPR differ from the DPA 1998?
- Does your business need a data protection policy? What should inform it? What should it cover?
- What are the requirements on your business for data protection?
- What type of information is subject to the Data Protection Law?
- Whose responsibility is data protection in your business?
- Does your business need a data protection officer?
- Why do you need to know about GDPR, and what do you need to do about it?
- What happens if your business breaches data protection law?
- What is a legitimate business purpose in relation to data protection?
- When is it not required to get permission from a person to process personal data?
- What are the requirements on your business for data protection?
- What does data protection mean for business continuity?
- How does data protection affect business documents? What about creating or producing a new business document?
- What are the data protection requirements for storing business information?
- My business uses CCTV, or wants to start using CCTV. What are the data protection implications?
- How does using Skype for business affect data protection?
- How does data protection law affect your business’s use of third parties and subcontractors?
- What is data protection tokenisation and how does it work?
- What is a data protection adequacy decision?
- Can a data protection officer be prosecuted?
- Can a data protection officer (DPO) be a director?
- How to report a data protection breach and who this should be reported to
- How should your business handle data protection for deceased individuals?
- What are the data protection implications if your business uses body worn cameras or dash cams?
- Data Protection and the Information Commissioner’s Office (ICO)
- Marketing and Data Protection
- Employers and data protection
- How does data protection apply to employees’ emails?
- How does data protection affect recruiting and interviewing potential job candidates?
- What are the data protection implications of keeping CVs on file for later use?
- Data protection and whistleblowing/whistleblowers
- Are there any data protection implications of allowing employees to work from home?
- Business to business (b2b) and commercial data protection
- Data protection and different kinds of businesses
- Is data protection for small businesses different?
- Is data protection for online businesses different?
- What does GDPR mean for life sciences companies?
- How does data protection affect regulated firms?
- What is the ePrivacy Directive and how has it been affected by the GDPR?
- How does data protection law impact on any freedom of information requests?
- How does data protection law affect blockchain?
What is data protection and why does it matter?
Data protection is now governed by the EU General Data Protection Regulation (GDPR) which took effect on 25 May 2018, and the Data Protection Act 2018, which received Royal Assent on 23 May 2018. Data Protection law is the regulation over the access to and use of personal data which is collected, processed and stored by automated means or in a structured filing system. It is important to ensure you comply with the data protection regulation when running your business because a failure can result in your business having to pay a large fine.
To figure out whether you should be concerned about data protection regulation, you need to ask whether you process data about individuals – employees, customers, suppliers – which is ‘personal’.
Data is ‘personal’ if the information relates to a living individual, and that individual can be identified from the data, or from the combination of this data and other data which as a data controller you are or are likely to come into possession of. You can be a data controller and a data processor for different processing of personal data. A data controller determines the means and purpose of processing personal data. A processor follows the instructions of the data controller. Under the GDPR, a data controller must set out written instructions to the processor.
If you would like more information on what kind of information would fall within the definition of personal data, you can read our helpful advice post on Data Protection – What is Personal Data?.
Why should your business comply with data protection legislation?
The current legislation on data protection imposes obligations on ‘data controllers’. A business is a legal person: this means they can be a data controller if collecting and processing personal data, and must comply with the legislation.
If you are dealing with personal information, you have an obligation to register with the Information Commissioner’s Office (ICO) and follow the requirements of the regulation.
It is important you comply with the data protection legislation. A failure to comply can lead to the ICO serving an enforcement notice on your business, depending on the severity of the breach. If you do not comply with the notice within the period specified in the notice, the ICO will usually use its enforcement powers to impose a penalty on your business.
You should not underestimate the penalties that can be imposed for non-compliance. Under the new regulation (GDPR), your business could face a fine of up to 20 million euros or 4% of global annual turnover, whichever is higher. Even more importantly, the ICO could commence criminal proceeding against serious offenders. Similarly, an individual could commence proceedings against you for breach of data protection law.
What are the requirements on your business for data protection?
When collecting, processing and storing personal data, your business should ensure you comply with the Data Protection law.
Under the GDPR, similar to the previous legislation, you can process personal data if one of the six conditions is met, known as the lawfulness of processing;
- the data subject has given consent to the processing
- processing is necessary for the performance of a contract
- processing is necessary for compliance with a legal obligation
- processing is necessary in order to protect the vital interest of the data subject
- processing is necessary for the performance of a task carried out in the public interest
- processing is necessary for the purpose of the legitimate interest pursued by the controller or third party except where such interests are overridden by the data subject.
Where you process personal data, you should always adhere to the spirit of the 6 data protection principles. Personal data shall be;
- processed lawfully and fairly and in a transparent manner, meaning you shouldn’t mislead or bribe individuals into giving away their data. This can be achieved by explaining why you collect the data, and what it will be used for.
- collected for specified purposes. Any new purpose will need to be connected to the original purpose.
- adequate, relevant and not excessive in relation to the specified purpose.
- accurate, and where necessary kept up to date.
- kept for no longer than is absolutely necessary for the specified purpose. Once the data is not needed, it should be securely deleted or disposed of.
- processed in a manner that ensure appropriate security of technical and organisational measures to prevent unauthorised or unlawful processing, accidental loss or damage to personal data.
Enshrined within the six principles is the express requirement to demonstrate ‘accountability’ and transparency.
When you are dealing with sensitive personal data, you can only process the personal data if you meet certain further conditions in addition to those set out above. Like with non-sensitive personal data, when processing, you are obliged to respect and uphold the six data protection principles.
Sensitive personal data (renamed “special category data” and expanded under GDPR) consists of information on an individual’s:
- Racial or ethical background
- Political opinion
- Religious beliefs
- Philosophical beliefs
- Trade union membership
- Data concerning health
- Sex life or sexual orientation
- Biometric or genetic data.
Personal data relating to criminal convictions and offences are no longer included as sensitive or special category data, but extra rules will still apply to its processing.
Where can you get general advice on data protection for businesses? Are there data protection guidelines for businesses?
One helpful source is the ICO. This organisation provides practical advice on how to comply with data protection regulation and how to improve data protection practices in your business. You can access these practical guides, which include a ‘Data protection self-assessment toolkit’, at the ICO website.
The Gov.uk website can also provide helpful advice on your business’s obligations when processing personal data – particularly in the context of recruitment, monitoring staff and using CCTV. An added benefit of this site is that it also provides access to an online chat with a data protection advisor.
When do you need a solicitor for specialised data protection legal advice?
Data protection law is complex and you should seek legal advice.
At Harper James Solicitors, we have a number of specialist data protection and privacy lawyers with many years’ experience advising businesses on how to comply with data protection obligations. Possessing the specialism and expertise to provide advice on compliance, as well as assistance with drafting privacy policies and data security processes, negotiating contractual data processing terms and data sharing agreements, we can help guide you through your obligations under the data protection legislation.
What is the law on data protection for businesses? How does the GDPR differ from the DPA 1998?
Watch a video recording of our recent webinar, Data Protection And An Introduction to the GDPR below:
Since 25 May 2018, the GDPR has been in force and differs from the previous regime under the DPA 1998.. The GDPR differs in scope to the DPA 1998, and imposes different obligations on data processors, and the rights of data subjects.
|Element||Data Protection Act 1998 – previous legislation||GDPR – from May 2018|
|Definition/Scope||The definition of personal data was limited to information relating to the data subject, which can include the name, address, job title, IP address and cookies. It can also extend to numbers which identify individuals.||The definition has been made much broader in scope to include factors like genetic, mental, economic, cultural, or social identity of the data subject. Although appearing exceptionally broad, the aim is to encourage data controllers to consider whether the amount of information they process is truly necessary.|
|Conditions||There was only one distinction made between non-sensitive personal data, and sensitive personal data. To process the latter required you to meet an additional condition.||An additional distinction has now been made between non-sensitive personal data, sensitive personal data, and personal data of children under the age of 16. Parental consent is now needed to process the personal data of children. If processing personal data when offering an internet service directly to children, in the UK only children aged 13 or over can provide their own consent.|
|Obligation||There was no obligation to appoint a data protection officer.||Some data controllers are now required to appoint a Data Protection Officer (DPO).
This mandatory obligation applies to your business if:
|Risk-based approach||The DPA 1998 was very much a rule-based approach when protecting personal data. Data controllers had to comply with rules (principles) when processing personal data.||A risk-based approach is now required meaning mandatory impact assessments need to be undertaken in certain circumstances by data controllers. Data controllers therefore need to identify the risk of privacy breach when data processing, and if the risk is high, they must minimise this risk before proceeding with the processing activity.|
|There was no obligation to consider privacy from the outset because the rule-based approach required compliance when processing the data.||The processing should consider privacy from the moment the concept of a product or service is created.|
|Notification obligation||There was no legal obligation to report a breach of data protection. However, it was considered good practice to notify the ICO and the individuals concerned about the breach.||Data controllers will be obliged to report data breaches to their data protection authority unless the breach is ‘unlikely to represent risk to the rights and freedoms’ of the data subject.
Where the risk is particularly high, the data subject must also be notified.
|Right to be forgotten||Whilst individuals could request to be forgotten by a data controller, previously this right was not included in the DPA 1998.||The regulation introduced the right in a number of circumstances and where it applies, obliging data controllers to inform third parties it has shared the data with of the erasure, unless this would involve disproportionate effort or prove impossible.|
|Data sharing||When transferring data between data controllers, it was good practice but not a legal requirement to document the sharing of data.||The GDP introduced obligations on data controllers and processors to document all data processing activities, including data retention and sharing, with limited exceptions for SMEs.|
|Data subject’s rights||Data processors had no direct obligation under the legislation. Instead, the data controller passed on the obligation by way of contract.||Data processors (individuals who only process personal data on behalf of a data controller) now also have a responsibility to protect personal data. This means data subjects can take legal action against the data processor for privacy breaches.|
|Data subject’s rights||Although individuals could request a copy of personal data held about them (known as “subject access request”), the only legal obligation was to ensure the copy provided was in “intelligible form”.||Data subjects now have the right to request a copy of personal data to be provided in a commonly used electronic format, and in certain circumstances (known as “the right to data portability”) the data controller must transmit the data directly to another organisation.|
|Penalty for breach||A breach of the DPA 1998 could have led to the data controller being subject to a fine of up to £500,000. It was also a criminal offence to breach the data protection regulation.||Penalty for breach is significantly greater as the ICO can fine a data controller up to 4% of its annual global turnover or €20 million (£17.5 million) – whichever is greater. It is still a criminal offence to breach the new data protection regulation.|
Most of the elements of the GDPR will be retained after Britain leaves the EU. The principles of the GDPR are mirrored in the new Data Protection Act 2018.
Considering Britain is wanting to ensure efficient undisrupted transfer of data with countries within the EU once it leaves, Britain would want to ensure it has adequate data protection measures in place, that remains similar if not the same as those imposed in the GDPR. For more detail on the likely position of data protection regulation after Brexit, read our advice post, Is Brexit going to affect data protection and GDPR?
Does your business need a data protection policy? What should inform it? What should it cover?
Although there is no explicit requirement under law to adopt a data protection policy, having a data protection policy can help provide a system which enables you and everyone within your business to discharge your obligations and depending on your organisation nay be necessary to make data processing work. It’s therefore highly advisable to adopt a data protection policy, as this will allow your business and employees to understand their obligations under the legislation.
The data protection policy should emphasise the importance of data protection, and clearly state how everyone in the business can protect personal data. When writing your data protection policy, you should keep in mind the six principles of data protection, as we discussed in
What are the requirements on your business for data protection?
A good business data policy will cover:
- The type of data it applies to (such as normal, sensitive, or children)
- Who is responsible for data protection
- The mains risks faced by the company
- Precautions on how to keep data protected
- Explanations and instructions on how data should be stored and backed up
- Explanation on how the company ensures data is kept accurate
- What to do if an individual asks to access the data that is held on them
- Under what circumstances the business or employees can disclose data and to whom
- How the company keeps individuals informed about data it holds
- Procedure to comply with when transferring data overseas.
What type of information is subject to the Data Protection Law?
All businesses that process personal data shall be subject to data protection laws. There are some exemptions to this, such as the household exemption. At Harper James, we can determine whether you fall into any exemptions.
Whose responsibility is data protection in your business?
The responsibility for complying with data protection lies with the data controller, which is the ‘person’ which collects and processes data. A ‘person’ includes individuals, organisations and companies. If your business is a company rather than, for example, just you as a sole trader, then the company is responsible for data protection: for example, the directors and other staff employed by the company.
You can appoint a data protection officer to take a proactive role in ensuring compliance with data protection. However, if there is a breach of data protection legislation, ultimately, your company will be liable: not the data protection officer.
Does your business need a data protection officer?
Under the GDPR, a data protection officer (DPO) must be appointed if you are a public body, or where your core activities involve monitoring individuals or where you process sensitive data or personal data relating to criminal convictions and offences. The DPO will have the responsibility of:
- informing the business and employees about their obligations under GDPR
- monitoring compliance and ensuring there are data protection policies in place
- training staff on GDPR compliance and data protection audits
- providing advice on data protection impact assessments (required by GDPR) and
- co-operating with the ICO and acting as its point of contact.
Why do you need to know about GDPR, and what do you need to do about it?
You need to know about the GDPR because it impacts any legal ‘person’ which processes personal data. To ensure you are complying with the new legislation, you should review your business data protection policy and systems, and make the changes necessary to make it compliant with the new law. Read our advice post, Get your business prepared for the GDPR.
The GDPR aims to make data processing more transparent, whilst also increasing accountability for data processing. Measures you can take to comply include:
- Reviewing the effectiveness of your data handling/processing activities
- Reviewing security of data
- Keeping staff trained on how to protect personal data
- Ensuring accurate record of all personal data held, where the data came from, and who it has been shared with
- Ensuring you have a system and process for conducting data protection impact assessments
- Appointing a DPO if you meet the criteria
- Reviewing the system of how you obtain, records and manage consent
- Ensuring you have a system which verifies the age of individuals, so you can identify children and obtain parental consent where required
- Reviewing your privacy notice
- Reviewing your procedure to grant data subjects access to the personal data you hold regarding them
- Ensuring you have an appropriate procedure which detects, reports and investigates privacy breaches.
To find out more about how you can comply, the ICO prepared a helpful checklist prior to the introduction of the GDPR, which you can use to help you identify the measures to take.
What happens if your business breaches data protection law?
An individual or individuals known as the data subject(s) can issue court proceedings where you have breached data protection laws. They can be compensated for material or non-material damages. Material means financial loss and non-material means “significant distress or harm”. Similarly, the ICO can issue monetary penalties against your business.
What is a legitimate business purpose in relation to data protection?
One of the lawful conditions for processing personal data is that it is necessary for the purpose of a legitimate interest of the controller or a third party to whom the data is disclosed.
‘Legitimate interests’ isn’t defined by legislation: it can include a broad range of interests. The interest must be:
- Lawful in terms of being compliant with relevant laws
- Sufficiently articulated so the interest can be balanced against the interest of the data subject
- A real and present interest – that is, not a speculative interest.
Examples of a legitimate interest include:
- Monitoring employees for safety/management purposes
- To manage a relationship with a client
When is it not required to get permission from a person to process personal data?
Consent is where you would require the permission of an individual to process their personal data. Consent shall be freely given, specific, informed and unambiguous. Where you do not wish to rely on consent you can look at the other five conditions for processing personal data, as discussed in the question,
What are the requirements on your business for data protection?
There are certain circumstances where you can process personal data without consent (even when there is sensitive information). These are set out in the legislation and include reasons such as:
- to safeguard national security
- to prevent or detect crime or to apprehend an offender
- to assess or collect tax or duty
- where you are obliged to make the personal data public due to an obligation under law
- where you are obliged to process and disclose the information in connection to legal proceedings.
What does data protection mean for business continuity?
As business continuity encompasses ‘resilience, recovery, and contingency’ to ensure your business can continue operating in cases of serious incidents or disasters, and recover swiftly to an operational state, you should account for data protection.
The penalties of failing to comply with data protection obligations are significant and can disrupt the operation of your business. By ensuring you have measures in place to protect you from data breaches, you can avoid your business coming to a standstill when hackers access personal data that you store and use.
A recent example of how much impact a data protection breach can have on a data controller is the data breach by Uber. The company had to contact 2.7 million customers about the breach in which customer names, mobile numbers and email addresses were accessed by hackers. Whilst failing its obligations regarding data protection, the company has increased its liability by also attempting to cover up the privacy breach by paying hackers to cover the breach. Considering new penalties for a failure to notify individuals and the regulator of a breach, it is important you impose systems to prevent privacy breaches, and to deal efficiently with breaches. This will help you avoid paying large sums as penalty, enabling business continuity.
How does data protection affect business documents? What about creating or producing a new business document?
Considering the principles of data protection requires you to process personal data fairly and for a specified purpose, it is important that your business documents only request the personal data necessary to allow you to achieve that purpose.
For example, if you are producing a business report, you may find that it is unnecessary to identify key employees at a specific outlet of your business when covering the sales figures and performance of the business. You should therefore exclude any personal data in this report. This is particularly important if the business report will be made publicly available or available to investors.
Similarly, when drafting documents to transact with clients or suppliers, it is important that only the necessary information is requested. For example, when transacting with an individual supplier, it is unnecessary to request sensitive information such as ethnic background.
In addition to this, you will need to be ensure that when such business documents are made available to third parties, such as external auditors or accountants, the personal data contained in these documents are adequately protected.
Finally, you should also ensure all personal data contained in such business documents is stored securely and is disposed of properly once it’s no longer needed.
What are the data protection requirements for storing business information?
When storing business information, you have several obligations. For example, you must ensure that personal data:
- is protected from being stolen and accessed by hackers
- should be backed-up so it is not accidentally lost
- should be kept accurate and up-to-date.
To achieve these goals, it’s recommended to restrict the number of individuals who have access to this information, and have a policy to remove personal data after a specified period of time has passed (known as retention period).
My business uses CCTV, or wants to start using CCTV. What are the data protection implications?
CCTV surveillance gives you images which can provide personal data about people like their vehicle registration number, which can be used to identify individuals: for example, the owner. For this reason, the use of CCTV is regulated by data protection law.
As CCTV can be invasive, it is advised that you conduct a privacy impact assessment to objectively determine whether using CCTV is necessary for your business, and proportionate to the reason you are using it. You should also have a clear policy on handling the information collected by surveillance, and how that information is used and disclosed.
It’s important to ensure the access to the information recorded is restricted and that the information is only used for its intended purpose. The regulator recommends that where necessary and possible, the information is encrypted – as this prevents unauthorised access to the images.
If your business stores the information on a cloud computing system, it is essential that you ensure this system is secure. Additionally, viewing live images on monitors should be restricted to the operator or authorised person, and only when necessary. An example of when this would be necessary would be if the surveillance was used to monitor for health and safety purposes.
There are also important restrictions on your ability to disclose the information you obtain through surveillance. Whilst it would be a breach of data protection to disclose CCTV information to the media, it is lawful to disclose the information to bodies such as the police to prevent and resolve crime.
Similar to personal data collected by other means, individuals have access rights to any information held regarding them. To allow you to comply with any access requests, it is advised that you store the information systematically to enable easy access. Again, you should only retain this information as long as is necessary for your specified purpose.
One key difference that applies when you collate information by way of CCTV, is that you must let people know that surveillance is in operation. This can be done by way of a written notice in the area covered by the CCTV.
You can access the ICO’s full code on surveillance here.
How does using Skype for business affect data protection?
Skype is a communication software which retains information it collects. As this is stored on a cloud computing server, you need to ensure the service provider (Skype) is able to protect any personal data is stores as a result of your business usage.
Considering Skype is not end-to-end encrypted, it is not a secure and protected software. Due to this inability to ensure security of personal data, you should consider putting safeguards in place to ensure the security of information transmitted via Skype.
How does data protection law affect your business’s use of third parties and subcontractors?
Due to your data protection obligations, you will need to ensure there are systems in place which can allow you to assess the risk of privacy breaches when using third parties and subcontractors.
If the third party or subcontractor will be processing personal data when providing services to you or even the customer directly, it is advisable you carry out a privacy impact assessment to balance the risk of sharing data and not sharing the data. As part of this assessment, you may consider the adequacy of the measures taken by the third party or subcontractor for protecting personal data and complying with other data protection regulations.
In order to comply with the principles, you should also ensure the individuals are informed about how the data will be processed, why, and by whom. One way to achieve this is to use a privacy notice.
If, however, the third parties or subcontractors are only processing personal data on your behalf (for example, outsourced payroll function), the party is considered a ‘data processor’, and the data processor has direct obligations under the GDPR.
If you are using a data processor, you should provide strict instructions on how the third party or subcontractor should process the information, and you should require appropriate security measures to be taken to protect the data.
Considering you will be entering a written contract with the third party or subcontractor acting as the data processor, you could limit your liability against privacy breaches by stipulating that you are not liable for any breaches which occur due to the act or omission of the other party.
What is data protection tokenisation and how does it work?
Tokenisation is where sensitive data is replaced with unique identification symbols. These symbols retain all the critical information about the data without posing a risk to its security. Tokenisation works by a clear text data value going into a secure database, called a vault (or dictionary), where it is encrypted. In its place you are given a token. An index stores the real data value and its token and the original piece of data can be found by presenting the token to the index. This differs from encryption, where a mathematical algorithm changes the data value into the token.
Tokens are particularly secure because if a token is stolen there is no way of turning it back into the real data value without access to the encrypted secure token vault. Tokenisation and encryption do not have to be security alternatives, they can complement each other.
Tokenisation is used widely for mobile payments as smartphone-based payment applications store tokenised versions of your credit card details in a secure chip on your device or in the cloud. This works by when you go to make a payment the phone application authenticates you via fingerprint scan or passcode and sends the card token and a cryptogram to the seller’s point-of-sale terminal, which passes them to the credit card’s network. The credit card network then authenticates the token and the cryptogram and forwards them to the bank that issued the card. The bank decrypts the token, determines its authenticity, links it to your real account number and authorises the payment.
What is a data protection adequacy decision?
An adequacy decision looks at whether there is an adequate level of data protection when transferring data across borders. In the EU the adoption of an adequacy decision involves:
- a proposal from the European Commission
- an opinion of the European Data Protection Board
- an approval from representatives of EU countries
- the adoption of the decision by the European Commission
The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to the third country to which the adequacy decision relates, without any further safeguard being necessary. Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) have been recognised by the EU as providing adequate protection.
In the UK you will be able to make a restricted transfer if it is covered by new UK adequacy regulations. Adequacy regulations confirm that a particular country or territory (or a specified sector in a country or territory) or international organisation, has an adequate data protection regime. The UK government intends to recognise the EU adequacy decisions which have been made by the European Commission prior to the exit date.
If the UK exits the EU with no deal, UK businesses will continue to be able to transfer personal data to US organisations participating in the Privacy Shield provided those US organisations expressly state that Privacy Shield commitments apply to transfers of personal data from the UK.
If there is no adequacy decision which covers a restricted transfer, you should consider putting in place one of a list of appropriate safeguards (such as standard contractual clauses) to cover the restricted transfer. If there is no adequacy decision and no appropriate safeguards, but one of the list of exceptions under the EU GDPR applies, you will be able to make the restricted transfer. These exceptions will continue under the UK GDPR.
Can a data protection officer be prosecuted?
It is up to the controller or processor to demonstrate compliance with the GDPR, the DPO is not personally responsible for or liable for any non-compliance with the GDPR. The DPO should not be dismissed or penalised by the controller or the processor for performing his or her tasks, according to the GDPR. DPOs are however still liable for non-compliance with general employment, contracts, civil and criminal rules and so can be fairly dismissed on grounds related to poor performance of DPO functions.
If DPOs have inadequate resources to perform their data protection functions and have raised this with data processors and controllers and no action has been taken to improve this, the DPO’s role is likely to be considered less responsible for any infringements.
Can a data protection officer (DPO) be a director?
There is nothing preventing a director from becoming a DPO, as long as a DPO is not expected to manage conflicts of interest and competing objectives that could result in data protection taking a secondary role to business interests. To avoid conflict a DPO should not also be a controller of processing activities (e.g. head of Human Resources), not be an employee on a short or fixed term contract, should report directly to top management and should be responsible for their own budget.
How to report a data protection breach and who this should be reported to
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It may be that the breach will need to be reported to the Information Commissioner’s Office (ICO). Not all data protection breaches need to be reported, the likelihood and severity of risk to people must be considered first, if you are unsure, you can use the ICO’s self-assessment tool. If there is a personal data breach and you decide that it does not meet the criteria needed to report it, you should still formally document why you have taken this decision in case this is challenged in the future.
If the breach does need to be reported this report should be made by the data controller to the ICO without undue delay and, where feasible, not later than 72 hours after having become aware of the breach. If the breach is reported after 72 hours of the breach reasons for delay should also be submitted to the ICO.
The report should describe the nature of the personal data breach, if possible with the categories and approximate number of data subjects and personal data records affected; the name and contact details of the DPO, describe the likely consequences of the personal data breach and the measures taken or proposed to be taken by the controller to address and reduce negative effects of the personal data breach.
How should your business handle data protection for deceased individuals?
Any promise to keep information confidential should last beyond death, and dealt with sensitively, but legally speaking the GDPR does not apply to data belonging to the deceased. Recital 27 of the GDPR says “This Regulation does not apply to the personal data of deceased persons.”
What are the data protection implications if your business uses body worn cameras or dash cams?
The Data Protection Commissioner has confirmed that as the image of a person recorded by a dash cam allows for the identification of an individual it does constitute personal data under the GDPR, and so motorists using a dash cam are likely to be a data controller and so must comply with data protection law. This means that in order to be transparent, which is a fundamental principle of data protection, any motorist using a dash cam should clearly display a visible sign/sticker on and/or inside the vehicle indicating that filming is taking place and provide certain details (either verbally or by way of a policy sheet) concerning the use of the data.
Further, motor insurance companies seeking dash cam footage of an incident in relation to a claim will likely become a separate data controller once the footage is handed to them and they would also need to comply with data protection law. There is also a joint-controller relationship where an insurance company incentivises drivers to use a dash cam to claim lower insurance premiums.
If your business uses dash cams or body worn cameras it is advisable to have a dash cam policy identifying the lawful basis for the processing of personal data collected from dash cams focusing on why that processing is necessary for the purpose it aims to achieve. Any material recorded must be securely stored and access should be restricted to authorised individuals who have been trained on data protection. Image sequences must not be altered in any way, in case they are required for evidence.
Data Protection and the Information Commissioner’s Office (ICO)
Does your business need to pay a fee to the ICO?
If your business is a data controller that processes personal data then you must pay a data protection fee to the ICO unless an exemption applies. Controllers who have a current registration (or notification) under the DPA 1998 do not have to pay the new fee until that registration has expired.
The data protection fee your business has to pay depends on its size and turnover. There are three tiers of fee ranging from £40 and £2,900, but for most organisations it will be £40 or £60. Charities and small occupational pension schemes only pay £40, regardless of their size. The payment is subject to a nil band for VAT.
What if someone complains to the ICO about your business?
If someone complains about your business to the ICO, the ICO has wide powers to progress this complaint.
In addition to monitoring your business for compliance, the ICO can enter your business premise to assess compliance with data protection. If the ICO serves an ‘assessment notice’ on your business, you will need to comply with any requests made by the ICO regarding access to information, equipment, or systems which process personal data.
Upon this assessment, the ICO can produce monitoring reports and overview reports. In addition to making recommendations as to how you can improve data protection, it can also take enforcement action such as imposing monetary penalties and bringing criminal proceedings against you.
Marketing and Data Protection
What does data protection law mean for buying and selling databases?
When you buy and sell a database, you will be processing the data stored within the database. This also applies when you licence a database because the licensee becomes a data controller in respect of the data.
Under data protection law, there is an obligation to inform individuals that their personal data is being transferred to the buyer or licensee. It is common for the buyer to do this by sending a ‘fair processing notice’ which is a written notice to the data subjects informing them of the change. If one party like the buyer is responsible for this, it is important that the purchase agreement includes a warranty ensuring the party will fulfil this obligation. Upon this change in data controller, you should also notify the ICO within 28 days of the transfer.
You should note that while ‘legitimate interests pursued by you or third parties’ is one condition which might make the transfer/processing permissible, it is not advisable to rely on this alone. In some cases it may be necessary by law to rely on consent (such as electronic marketing) or better practice to do so, particularly where the sale of the data is not part of the sale of a business.
When transferring the data, you should ensure the six principles are respected. For this reason, data cannot be sold if the sale would be incompatible with the original purpose specified to the individual when collected. Considering this, you are advised to inform individuals that the information you are collecting may be sold or licensed in the future or, where the original purpose communicated did not provide for future sale, seek the individuals’ consent by re-issuing them with a privacy notice informing them of the sale, within a reasonable period of time.
You should also ensure the transfer is done securely, and measures are taken to protect the data from accidental loss and theft. If you are buying the database, you should check the details of data on the database to ensure it is not excessive or unnecessary with respect to the purpose for which you require the data. It is also important to seek a warranty from the seller assuring the data is accurate and up-to-date.
When there is a sale of a database, it’s common for the buyer to include warranties expecting the seller to comply with any obligations under data protection law.
Common warranties include:
- the data protection law has been complied with in all respects
- the seller is entitled to transfer the database to the buyer
- the seller is entitled to use the database for the purpose it intends to use it
- the seller has no notice of any claims/complaints in connection with data protection law by data subjects of the database
- the seller has received no notice that the ICO or other regulatory authority considers the seller to have infringed any data protection obligations.
If you are buying or selling a database, we have specialist solicitors who can give you clear advice on how to proceed with the transaction whilst complying with data protection obligations. See more on our Data Protection & Privacy Law legal services.
What does data protection law mean for using business email addresses?
Business email addresses can be used to identify a living person: that is, the person who uses that email address. This is personal data.
As the use of an individual’s business email address will usually be for the performance under a contract (for example, employment contract), and for your legitimate interest for example, to conduct your business, then the use of business email address is usually lawful under the data protection regulation.
However, when you do use business email addresses, it is important that you respect the six principles for data protection.
It is also important that you do not use or reveal an individual’s email address for reasons unrelated to work. However, considering business email addresses are usually limited to use for day-to-day operation of the business, it is unlikely that a use of business email address would cause a breach of data protection regulation.
For more information on how to minimise risks of privacy breaches when using business email addresses, you can read our advice post, Monitoring employees’ emails in the workplace and their right to privacy.
Does data protection law apply to business cards?
Business cards contain information about a living person, therefore the business card does contain personal data. It’s recommended that if you hold a business card containing the personal details of anyone other than yourself, you do not hand out that business card without that person’s permission.
However, if you are handing out the business card for a legitimate purpose such as the course of business, and the information concerns your employee, consent is not essential. In such circumstances, you should ensure you respect the six principles of data protection. This means the business card should only be used for a specified purpose, which would normally be to gain customers for your retail business, and should not be handed out carelessly and excessively. Not only would this undermine the specified purpose for which the employee provided their personal data included on the business card, it would leave the employee vulnerable to cold-callers and viruses sent by way of emails.
Employers and data protection
How does data protection apply to employees’ emails?
Employee email addresses constitute personal data. As you will store the email address, you are processing and storing the data.
To ensure you do not breach your obligations, you should ensure the data is stored safely and is not vulnerable or at risk of being lost or stolen. To uphold the 6 principles of data protection, you should also ensure you only store the email address for as long as necessary and that the email address is up-to-date. It is also important to inform your employees of the reason you need to store their email address.
You should also ensure employees are aware of their duties under data protection law. In particular, it is important that employee emails containing personal data about customers are protected. One way to achieve this is to establish a business policy which encourages minimum personal data to be included in the email.
How does data protection affect recruiting and interviewing potential job candidates?
Recruiting and interviewing potential job candidates will require you to collate and process personal data both sensitive and non-sensitive. It is therefore very important to take measures to ensure you do not breach your data protection obligations.
Discharging your obligations begins when you advertise a job role. It is important the potential job candidate is aware you will be processing the personal data provided. Such clarity is essential if you recruit through an agency, as the potential job candidate will need to know that the information provided to the agency will be processed by you.
When requesting details about criminal convictions, you should consider whether you can limit the amount of details you request. For example, you may only seek information about any criminal convictions which relate directly to the job.
If your application procedure is online, it is also recommended that you use an encryption-based software. This means any personal data transmitted by the potential job candidate is protected and not vulnerable to theft.
You should also inform interviewers how to store any information and personal data recorded during the interview. Once a reasonable time has passed, this information should be destroyed properly.
For more detail on how to take measures on compliance with DPA during recruitment and interviewing, read the Employment Practice Code by the ICO.
What are the data protection implications of keeping CVs on file for later use?
An employer can keep CVs and other details of unsuccessful candidates on file, if it complies with its duties under the GDPR.
Candidates must be provided with a privacy notice, so they are fully aware of how long their data will be kept and how their personal data will be used, including explicit mention if you are holding CVs for the purpose of future vacancies. The employer should have a process in place so that this actually happens and so that personal details are not kept for longer than necessary for the businesses purposes it was collected for.
There must be a legal basis for holding the personal data, such as that the employer has a legitimate interest. The employer must either inform the candidates that they have the right to object to the processing or ask candidates for written consent to hold their data.
Data protection and whistleblowing/whistleblowers
Any worker who makes a protected disclosure in the correct manner will be protected from dismissal or other disadvantage because of the disclosure.
A disclosure must be made to an appropriate recipient and must be in respect of one of the following:
- the commission (or likely future commission) of a criminal offence; or
- a breach (or likely future breach) of a legal obligation, where this has been (or is likely to be) deliberately concealed.
A disclosure will not qualify if a worker commits an offence by making it, or if the information is subject to legal professional privilege. For the whistleblowing provisions to apply, whistleblowers must reasonably believe that the information they are giving is true and they must act in good faith. Disclosures should first be made under a whistleblower’s employer’s whistleblowing policy, if they have one, therefore as a business you have an extra layer of protection afforded to you if this can be dealt with internally first. If you would like help in drafting a Whistleblowing policy for your business, our specialist employment lawyers can assist.
Provided that whistleblowing has been done correctly the information collected will remain confidential and disclosed only so far as is required to be able to investigate the complaint. Organisations such as the ICO which may receive reports of wrongdoing have a duty of confidence and to protect the data of the organisations they regulate and are legally prevented from sharing much of the information they hold about them. Whilst the ICO publish information about the action they take as a result of disclosures made by whistleblowers in a yearly report, this won’t contain information which will identify individual whistleblowers or their employers (including ex-employers).
Under the GDPR, where a DPO is appointed the Article 29 Working Party, the central advisory body on EU data protection regulations have made clear how vested the DPO role is in preventing breaches, not just reporting them. There was concern that the creation of the DPO role would just create a data protection whistleblower within each organisation. Communication to the DPO must be confidential for the role to function, and so the idea that the officer might act as a whistleblower is highly unlikely. The DPO is far more likely to want to build trust with employees and want to fix a potential data breach before it happens than report it afterwards by means of whistleblowing. The DPO is responsible for carrying out data protection impact assessments and data protection-related audits, they are the point of contact for individuals relating to the processing of their personal data or exercising their rights under GDPR. This means that their role is not just that of independent whistleblower. Their position should not be seen negatively; the introduction of the GDPR will promote accountability, enhancing the trustworthiness of data processing within organisations.
Are there any data protection implications of allowing employees to work from home?
There are a few added challenges in terms of data protection and employees who work remotely. For example, personal data is likely to be stored on mobile devices, which could be mislaid or stolen more easily. An employer cannot prevent this but can mitigate any damage by setting strict access rights, encrypting or pseudonymising (or both) data so that less of the company’s personal data can be viewed by anyone who should not be viewing the data.
To protect work laptops and devices from misuse, organisations may be tempted to implement software to track how employees (or criminals) use the device. There’s plenty of software that can log keystrokes or track mouse movements, but this poses problems with complying with the GDPR as remote employees may well keep irregular hours and use their devices for both personal and work reasons, so it’s impossible to differentiate between monitoring an employee’s work and private life. Therefore, there’s no way of monitoring devices without violating your employees’ right to privacy. It is difficult to find a lawful basis to process data and employees may not be aware of what personal data are being processed and for which purposes.
Business to business (b2b) and commercial data protection
How is business to business marketing affected by data protection?
When marketing to businesses, you do not need prior consent from the business receiving the marketing. However, for good practice you must provide businesses with the option to opt-out of marketing.
How does data protection apply during a business sale or business transfer?
When you sell or transfer your business, during the disclosure and due diligence period, you may need to provide the buyer with personal data of the directors, employees, suppliers and customers of the business. Similarly, in an asset sale, it’s common for the customer list and suppliers to be transferred to the buyer, meaning their personal details will need to be provided. This is especially true of employees that will be transferred under TUPE. Given that you will be sharing personal data that you hold, you are processing the personal data.
To ensure you comply with your data protection obligations, it is important to notify the individuals that their personal data is being disclosed to the buyer. It is also good practice for the buyer to notify the data subjects that they have received the personal data. As you may be reluctant to notify individuals in the early stages of the sale, it is advised that you anonymise the personal data until you reach a later stage in the deal.
If you are selling your business by way of share sale, the identity of the data controller will not have changed. This means it is not essential to notify individuals about processing unless the new shareholder will be using the personal data for a purpose different to the specified purpose.
If you are selling by way of asset sale, both the seller and buyer should inform the individuals about the disclosure and receipt of personal data.
The manner of notice may simply involve publicising the transaction. However, if there is a personal data of customers with a relationship with the business, or if there is sensitive data being transferred, you should contact the individuals directly.
Like with processing personal data in other circumstances, you must meet the conditions of processing. Although it is common to rely on legitimate interests, you should take care when transferring personal data before completion of the sale as it will be harder to justify such disclosure at this stage of the transaction.
It is also important to remember that if the identity of the data controller changes as a result of the sale (common in asset sales, not so in share sale), the ICO needs to be notified about the change within 28 days.
When you are selling your business, you should also ensure security of all personal data held throughout the transaction.
Data protection and different kinds of businesses
Is data protection for small businesses different?
No – data protection is not different for small business. The obligations under data protection law are the same for every data controller. The only difference lies in the fact that a large business with an exceptionally high turnover will pay a £500 fee to the ICO.
Is data protection for online businesses different?
No – like with small businesses, data protection is not different for online businesses. If your business is all online, you would need to take extra care when processing personal data because of the vulnerability of hackers accessing the data, and the data being lost.
You should therefore ensure your communication software, and other software used in the course of your online business, such as payment methods, are all encrypted. This ensures safety of the information.
What does GDPR mean for life sciences companies?
The GDPR has broadened the definition of personal data to include pseudonymisation. This is when personal data is processed in a way that means the personal data can no longer be attributed to a specific individual without the use of additional information. The additional information must be kept separately and protected by safeguards to avoid the data controller and third parties being capable of re-identifying the individual.
As a result, life sciences companies will need to reconsider whether their systems of using coded data constitutes personal data under the GDPR. If a data controller or third party took reasonable means to identify individuals from using the coded data, and took reasonable measures to access the separately stored information, and succeeded in identifying the individual, this would mean the coded data also constitutes personal data.
In such circumstances, you would need to notify the ICO about your data processing activity, pay a fee, and comply with the obligations under the GDPR.
How does data protection affect regulated firms?
Regulated firms must comply with their relevant regulated authority (such as the FCA for financial companies, and the SRA for law firms). Considering regulated firms process personal data when providing services, these regulatory authorities require the firms that they regulate to ensure compliance with data protection. For this reason, a regulated firm may already have the measures implemented to comply with the current data protection obligations.
An example of data protection compliance imposed by the FCA is the obligation on regulated firms to prove they have robust systems which mitigates the risk of financial crime (such as a breach of data protection), and has effective systems which detects, prevents and deters such crime.
However, as the GDPR has implemented new rules, regulated firms now need to take additional measures to meet the specific obligations under the GDPR. These new obligations include a requirement to provide users with the option to opt-in or opt-out of cookies, and reducing the ability to include soft opt-in (marketing messages to existing customers). It is therefore advised that regulated firms take the time to review current data protection compliance, and ensure that they are complying with all of the additional obligations under the GDPR.
What is the ePrivacy Directive and how has it been affected by the GDPR?
The ePrivacy directive regulates the use of electronic communication to ensure personal data is protected and secured. The introduction of the GDPR has broadened the scope of the ePrivacy directive by applying the same rules which already applies to phone calls, emails and SMS, to instant and social messaging, voice over IP (for example, Skype), web-based email, and other digital forms of communication.
One of the biggest changes is the standardisation of consent. The GDPR requires consent under ePrivacy to be:
- freely given, specific, informed and unambiguous
- expressed by a statement or clear affirmative action – silence, pre-ticked boxes and inactivity don’t count
- easy to withdraw
- easily demonstrated by the organisation
- in clear and plain language
- distinguished from other matters.
There is also now an obligation to simplify rules on cookies by giving users the option to ‘opt in’ or ‘opt out’ of cookie consent choices. In addition to this, when marketing by way of phone calls, you should ensure you display your number when calling.
The ePrivacy Directive will be replaced by the ePrivacy Regulation (hopefully by the end of 2019) and updates on this will be provided in due course.
How does data protection law impact on any freedom of information requests?
Often a good start is making clear what the request is in the first instance. An individual may make a request for their own information (a subject access request under the Data Protection Act) but may think this falls under the Freedom of Information Act. You may need to clarify this when completing a request. There has always been a certain amount of tension between the Data Protection Act and the Freedom of Information Act, as the Data Protection Act exists to protect people’s right to privacy, whereas the Freedom of Information Act is about removing unnecessary secrecy, which can sometimes be incompatible aims.
If someone makes a request for information that includes someone else’s personal data, a balance needs to be struck between the case for transparency and openness under the Freedom of Information Act and the data subject’s right to privacy under the Data Protection Act, when deciding whether information can be released without breaching the data protection principles.
There are also a few recent changes to data protection law which have raised new considerations when disclosing personal data under the Freedom of Information Act. The new definitions of personal data and sensitive personal data will now need to be taken into account and if the information is now considered to be the personal data of a third party, public authorities need to look at whether disclosure would breach the data protection principles. However, the Freedom of Information Act has been amended by the Data Protection Act 2018 so that the ‘legitimate interests’ lawful basis is applicable to public authorities considering disclosure.
How does data protection law affect blockchain?
Businesses using blockchain must ensure that the specific technical design meets the requirements of data protection law.
Blockchain databases allow transactions between parties without having to disclose their identity directly to the contracting party or the public. Therefore, as European data protection law is not established for just transaction data, companies can lawfully use and process such data without being subject to specific data protection restrictions, as specific individuals cannot be traced from this data.
There may however, be a potential need for data protection with some blockchain databases. For example a study has shown that the Bitcoin address of a service user documented in the blockchain can be traced back to its IP address and the IP address can be traced back to a specific internet connection or connection owner. It is true that no names, addresses, telephone numbers, can identify individuals in the corresponding transaction data entries of the blockchain, and de-anonymisation of corresponding entries is possible but not common: they could be avoided if the technical design was adapted. To this extent, companies considering the utilisation of blockchain technology should bear in mind the principle of data protection privacy by design,
Blockchain databases may not be fit for purpose for privacy by design, in practice, while some of these principles (like transparency, privacy by default, data protection as integral part of application design) may easily be incorporated into the technological layer of blockchain applications, the effectiveness of data protection throughout the entire life cycle of the application, may be more difficult to achieve.
Blockchain databases could be used for the purposes of data protection, as by the purpose limitation principle personal data may only be collected for clear and legitimate purposes and not be further processed in a manner incompatible with these purposes. Compliance with the purpose limitation principle could be monitored by providing each piece of individual personal data with a meta-tag, (a unique electronic label that provides information on the nature and extent of the processing allowed for the personal data). A decentralised register managed as a blockchain could be used to make the processing of personal data by companies more transparent.
The European Court of Justice has ruled that EU citizens are entitled to a claim against internet search engine operators so that they remove any content retrievable from search results, if the information on the individual concerned was not significant to public interest. There is also now under the GDPR a “right to be forgotten” which is enforceable against any data controller. This being the case, blockchain mechanisms must remain editable, but a limitation to this is that trustworthy administrators are needed to alter the blockchain’s ledger according to preset rules meaning it may not remain a decentralised peer-to-peer database.