Data protection is incredibly complex for businesses and often requires detailed legal advice, especially with the General Data Protection Regulation (GDPR) now being in force.
Here we’ve answered our clients’ most common questions in these data protection FAQs.
Jump to individual data protection FAQs:
- What is data protection and why does it matter?
- Why should your business comply with data protection legislation?
- What are the requirements on your business for data protection?
- Where can you get general advice on data protection for businesses? Are there data protection guidelines for businesses?
- When do you need a solicitor for specialised data protection legal advice?
- What is the law on data protection for businesses?
- Does your business need a data protection policy? What should it cover?
- What are the requirements on your business for data protection?
- What type of information is subject to Data Protection Laws?
- Whose responsibility is data protection in your business?
- Does your business need a data protection officer (DPO)?
- Why do you need to know about GDPR and Data Protection Act 2018, and what do you need to do about it?
- What happens if your business breaches data protection law?
- What is a legitimate business purpose in relation to data protection?
- When is it not required to get permission from a person to process personal data?
- What are the requirements on your business for data protection?
- What does data protection mean for business continuity?
- How does data protection affect business documents? What about creating or producing a new business document?
- What are the data protection requirements for storing business information?
- My business uses CCTV, or wants to start using CCTV. What are the data protection implications?
- How does using Skype or Microsoft Teams for business affect data protection?
- How does data protection law affect your business’s use of third parties and subcontractors?
- What is data protection tokenisation and how does it work?
- What is a data protection adequacy decision?
- Can a data protection officer (DPO) be prosecuted?
- Can a data protection officer (DPO) be a director?
- How to report a data protection breach and who this should be reported to
- How should your business handle data protection for deceased individuals?
- What are the data protection implications if your business uses body worn cameras or dash cams?
- Data Protection and the Information Commissioner’s Office (ICO)
- Marketing and Data Protection
- Business to business (b2b) and commercial data protection
- Data protection and different kinds of businesses
- Is data protection for small businesses different?
- Is data protection for online businesses different?
- What does GDPR mean for life sciences companies?
- How does data protection affect regulated firms?
- What is the ePrivacy Directive and how has it been affected by the GDPR?
- How does data protection law impact on any freedom of information requests?
- How does data protection law affect blockchain?
What is data protection and why does it matter?
Data protection is now governed by the EU General Data Protection Regulation (EU GDPR) which took effect on 25 May 2018, and the Data Protection Act 2018, which received Royal Assent on 23 May 2018. Since Brexit, the UK has adopted the EU GDPR into domestic law, referred to as the UK GDPR (Retained law). Data Protection law is the regulation over the access to and use of personal data which is collected, processed and stored by automated means or in a structured filing system. It is important to ensure you comply with the data protection regulation when running your business because a failure can result in your business having to pay a large fine.
To figure out whether you should be concerned about data protection regulation, you need to ask whether you process data about individuals – employees, customers, suppliers – which is ‘personal’.
Data is ‘personal’ if the information relates to a living individual, and that individual can be identified from the data, or from the combination of this data and other data which as a data controller you are or are likely to come into possession of. You can be a data controller and a data processor for different processing of personal data. A data controller determines the means and purpose of processing personal data. A processor follows the instructions of the data controller. Under the GDPR, a data controller must set out written instructions to the processor. Usually, these terms are defined within a data processing agreement.
If you would like more information on what kind of information would fall within the definition of personal data, you can read our helpful advice post on What is personal data under GDPR?
Why should your business comply with data protection legislation?
The current legislation on data protection imposes obligations on both ‘data controllers’ and ‘data processors’. A business is a legal person: this means they can be a data controller if collecting and deciding how and why personal data is to be processed.
A data processor would be a business or person that would physically carry out the processing.
If you are dealing with personal data you have an obligation to register with the Information Commissioner’s Office (ICO) and follow the requirements of the regulation. Usually this attracts a fee.
It is important you comply with the data protection legislation. A failure to comply can lead to the ICO serving an enforcement notice on your business, depending on the severity of the breach. If you do not comply with the notice within the period specified in the notice, the ICO will usually use its enforcement powers to impose a penalty on your business.
You should not underestimate the penalties that can be imposed for non-compliance. Under the UK GDPR, your business could face a fine of up to £17.5million or 4% of global annual turnover in the preceding financial year, whichever is higher. Even more importantly, the ICO could commence criminal proceedings against serious offenders. Similarly, an individual could commence proceedings against you for breach of data protection laws.
What are the requirements on your business for data protection?
When collecting, processing and storing personal data, your business should ensure you comply with the Data Protection law.
Under the UK GDPR, you can process personal data if one of the six conditions is met, known as the lawfulness of processing:
- The data subject has given consent to the processing
- Processing is necessary for the performance of a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary in order to protect the vital interest of the data subject
- Processing is necessary for the performance of a task carried out in the public interest
- Processing is necessary for the purpose of the legitimate interest pursued by the controller or third party except where such interests are overridden by the data subject
Where you process personal data, you should always adhere to the spirit of the six data protection principles. Personal data shall be:
- Collected for specified purposes. Any new purpose will need to be connected to the original purpose.
- Adequate, relevant and not excessive in relation to the specified purpose.
- Accurate, and where necessary kept up to date.
- Kept for no longer than is absolutely necessary for the specified purpose. Once the data is not needed, it should be securely deleted or disposed of.
- Processed in a manner that ensure appropriate security of technical and organisational measures to prevent unauthorised or unlawful processing, accidental loss or damage to personal data
Enshrined within the six principles is the express requirement to demonstrate ‘accountability’ for compliance purposes.
When you are dealing with sensitive personal data, you can only process the personal data if you meet certain further conditions in addition to those set out above. Like with non-sensitive personal data, when processing, you are obliged to respect and uphold the six data protection principles.
Special category data consists of information on an individual’s:
- Racial or ethical background
- Political opinion
- Religious or philosophical beliefs
- Trade union membership
- Data concerning health
- Sex life or sexual orientation
- Biometric or genetic data
Personal data relating to criminal convictions and offences are no longer included as sensitive or special category data, but extra rules will still apply to its processing.
Where can you get general advice on data protection for businesses? Are there data protection guidelines for businesses?
One helpful source is the ICO. This organisation provides practical advice on how to comply with data protection regulation and how to improve data protection practices in your business. You can access these practical guides, which include a ‘Data protection self-assessment toolkit’, at the ICO website. An added benefit of this site is that it also provides access to an online chat with a data protection advisor.
The Gov.uk website can also provide helpful advice on your business’s obligations when processing personal data – particularly in the context of recruitment, monitoring staff and using CCTV.
When do you need a solicitor for specialised data protection legal advice?
At Harper James Solicitors, we have numerous specialist data protection and privacy lawyers with many years’ experience advising businesses on how to comply with data protection obligations. Possessing the specialism and expertise to provide advice on compliance, as well as assistance with drafting, record of processing activities, privacy policies, assisting in data protection impact assessments and data security processes, negotiating contractual data processing terms and data sharing agreements, we can help guide you through your obligations under the data protection legislation. Since the Schrems II case, we can also assist businesses in assuring safe cross border transfer of data by conducting transfer impact assessments.
What is the law on data protection for businesses?
|Definition/Scope||The definition has been made much broader in scope to include factors like genetic, mental, economic, cultural, or social identity of the data subject. Although appearing exceptionally broad, the aim is to encourage data controllers to consider whether the amount of information they process is truly necessary.|
|Conditions||An additional distinction has now been made between non-sensitive personal data, sensitive personal data, and personal data of children under the age of 16. Parental consent is now needed to process the personal data of children. If processing personal data when offering an internet service directly to children, in the UK only children aged 13 or over can provide their own consent.|
|Obligation||Some data controllers are now required to appoint a Data Protection Officer (DPO).|
This mandatory obligation applies to your business if:
|Risk-based approach||A risk-based approach is now required meaning mandatory impact assessments need to be undertaken in certain circumstances by data controllers. Data controllers therefore need to identify the risk of privacy breach when data processing, and if the risk is high, they must minimise this risk before proceeding with the processing activity. |
The processing should consider privacy from the moment the concept of a product or service is created.
|Notification obligation||Data controllers will be obliged to report data breaches to their data protection authority unless the breach is ‘unlikely to represent risk to the rights and freedoms’ of the data subject.|
Where the risk is particularly high, the data subject must also be notified.
|Right to be forgotten||The regulation introduced the right in several circumstances and where it applies, obliging data controllers to inform third parties it has shared the data with of the erasure, unless this would involve disproportionate effort or prove impossible.|
|Data sharing||The GDPR introduced obligations on data controllers and processors to document all data processing activities, including data retention and sharing, with limited exceptions for SMEs. The ICO has published a new Data Sharing Code of Practice, which took effect from December 2020.|
|Data subject’s rights||Data processors (individuals who only process personal data on behalf of a data controller) now also have a responsibility to protect personal data. This means data subjects can take legal action against the data processor for privacy breaches.|
|Data subject’s rights||Data subjects now have the right to request a copy of personal data to be provided in a commonly used electronic format, and in certain circumstances (known as ’the right to data portability’) the data controller must transmit the data directly to another organisation.|
|Penalty for breach||Penalty for breach is significantly greater as the ICO can fine a data controller up to 4% of its annual global turnover or £17.5 million – whichever is greater. It is still a criminal offence to breach the data protection regulation.|
Does your business need a data protection policy? What should it cover?
Although there is no explicit requirement under law to adopt a data protection policy, having one can help provide a system which enables you and everyone within your business to discharge your obligations and depending on your organisation may be necessary to make data processing work. It’s therefore highly advisable to adopt a data protection policy, as this will allow your business and employees to understand their obligations under the legislation.
The data protection policy should emphasise the importance of data protection, and clearly state how everyone in the business can protect personal data. When writing your data protection policy, you should keep in mind the six principles of data protection, as we discussed above.
What are the requirements on your business for data protection?
A good business data policy will cover:
- The type of data it applies to (such as normal, sensitive, or children)
- Who is responsible for data protection
- The mains risks faced by the company
- Precautions on how to keep data protected
- Explanations and instructions on how data should be stored and backed up
- Explanation on how the company ensures data is kept accurate
- What to do if an individual asks to access the data that is held on them
- Under what circumstances the business or employees can disclose data and to whom
- How the company keeps individuals informed about data it holds
- Procedure to comply with when transferring data overseas
What type of information is subject to Data Protection Laws?
All businesses that process personal data shall be subject to data protection laws. There are some exemptions to this, such as the household exemption. At Harper James, we can determine whether you fall into any exemptions.
Whose responsibility is data protection in your business?
The responsibility for complying with data protection lies with the data controller, which is the ‘person’ which collects and processes data. A ‘person’ includes individuals, organisations and companies. If your business is a company rather than, for example, just you as a sole trader, then the company is responsible for data protection: for example, the directors and other staff employed by the company.
You can appoint a data protection officer to take a proactive role in ensuring compliance with data protection. However, if there is a breach of data protection legislation, ultimately, your company will be liable: not the data protection officer. You should therefore appoint a data protection officer that has the necessary skill and resources to be able to do their job.
Does your business need a data protection officer (DPO)?
Under the UK GDPR, a data protection officer (DPO) must be appointed if you are a public body, or where your core activities involve monitoring individuals or where you process sensitive data or personal data relating to criminal convictions and offences. The DPO will have the responsibility of:
- informing the business and employees about their obligations under GDPR
- monitoring compliance and ensuring there are data protection policies in place
- training staff on GDPR compliance and data protection audits
- providing advice on data protection impact assessments (required by GDPR) and
- co-operating with the ICO and acting as its point of contact
Why do you need to know about GDPR and Data Protection Act 2018, and what do you need to do about it?
You need to know about this as it impacts any legal ‘person’ which processes personal data. To ensure you are complying with the legislation, you should review your business data protection policy and systems at least annually, and make the changes necessary to make it compliant with the law. Read our advice post Your business guide to GDPR compliance.
The GDPR aims to make data processing more transparent, whilst also increasing accountability for data processing. Measures you can take to comply include:
- Reviewing the effectiveness of your data handling/processing activities
- Reviewing security of data
- Keeping staff trained on how to protect personal data
- Ensuring accurate record of all personal data held, where the data came from, and who it has been shared with
- Ensuring you have a system and process for conducting data protection impact assessments
- Appointing a DPO if you meet the criteria
- Reviewing the system of how you obtain, records and manage consent
- Ensuring you have a system which verifies the age of individuals, so you can identify children and obtain parental consent where required
- Reviewing your privacy notice
- Reviewing your procedure to grant data subjects access to the personal data you hold regarding them
- Ensuring you have an appropriate procedure which detects, reports and investigates privacy breaches
To find out more about how you can comply, the ICO prepared a helpful checklist prior to the introduction of the GDPR, which you can use to help you identify the measures to take.
What happens if your business breaches data protection law?
An individual or individuals known as the data subject(s) can issue court proceedings where you have breached data protection laws. They can be compensated for material or non-material damages. Material means financial loss and non-material means “significant distress or harm”. Similarly, the ICO can issue monetary penalties against your business.
What is a legitimate business purpose in relation to data protection?
One of the lawful conditions for processing personal data is that it is necessary for the purpose of a legitimate interest of the controller or a third party to whom the data is disclosed.
‘Legitimate interests’ isn’t defined by legislation: it can include a broad range of interests. The interest must be:
- Lawful in terms of being compliant with relevant laws
- Sufficiently articulated so the interest can be balanced against the interest of the data subject
- A real and present interest – that is, not a speculative interest
Examples of a legitimate interest include:
- Monitoring employees for safety/management purposes
- To manage a relationship with a client
Businesses may find it helpful to justify their legitimate business purpose by completing a ‘Legitimate Interests Assessment’. The ICO website provides a precedent that may assist you.
When is it not required to get permission from a person to process personal data?
Consent is where you would require the permission of an individual to process their personal data. Consent shall be freely given, specific, informed and unambiguous. Businesses that rely on consent find themselves in difficulties as consent must be easy to withdraw as it is to give. Where you do not wish to rely on consent you can look at the other five conditions for processing personal data, as discussed in our article on the six lawful bases for processing.
What are the requirements on your business for data protection?
There are certain circumstances where you can process personal data without consent (even when there is sensitive information). These are set out in the legislation and include reasons such as:
- To safeguard national security
- To prevent or detect crime or to apprehend an offender
- To assess or collect tax or duty
- Where you are obliged to make the personal data public due to an obligation under law
- Where you are obliged to process and disclose the information in connection to legal proceedings
What does data protection mean for business continuity?
As business continuity encompasses ‘resilience, recovery, and contingency’ to ensure your business can continue operating in cases of serious incidents or disasters, and recover swiftly to an operational state, you should account for data protection.
The penalties of failing to comply with data protection obligations are significant and can disrupt the operation of your business. By ensuring you have measures in place to protect you from data breaches, you can avoid your business coming to a standstill when hackers access personal data that you store and use.
A recent example of how much impact a data protection breach can have on a data controller is the data breach by Uber. The company had to contact 2.7 million customers about the breach in which customer names, mobile numbers and email addresses were accessed by hackers. Whilst failing its obligations regarding data protection, the company has increased its liability by also attempting to cover up the privacy breach by paying hackers to cover the breach. Considering new penalties for a failure to notify individuals and the regulator of a breach, it is important you impose systems to prevent privacy breaches, and to deal efficiently with breaches. This will help you avoid paying large sums as penalty, enabling business continuity.
How does data protection affect business documents? What about creating or producing a new business document?
Considering the principles of data protection requires you to process personal data fairly and for a specified purpose, it is important that your business documents only request the personal data necessary to allow you to achieve that purpose.
For example, if you are producing a business report for external use, you may find that it is unnecessary to identify key employees at a specific outlet of your business when covering the sales figures and performance of the business. You should therefore exclude any personal data in this report. This is particularly important if the business report will be made publicly available or available to investors.
Similarly, when drafting documents to transact with clients or suppliers, it is important that only the necessary information is requested. For example, when transacting with an individual supplier, it is unnecessary to request sensitive information such as ethnic background.
In addition to this, you will need to be ensure that when such business documents are made available to third parties, such as external auditors or accountants, the personal data contained in these documents are adequately protected.
Finally, you should also ensure all personal data contained in such business documents is stored securely and is disposed of properly once it’s no longer needed.
What are the data protection requirements for storing business information?
When storing business information, you have several obligations. For example, you must ensure that personal data:
- Is protected from being stolen and accessed by hackers
- Should be backed-up so it is not accidentally lost
- Should be kept accurate and up-to-date
To achieve these goals, it’s recommended to restrict the number of individuals who have access to this information and have a policy to remove personal data after a specified period of time has passed (known as retention period).
My business uses CCTV, or wants to start using CCTV. What are the data protection implications?
CCTV surveillance gives you images which can provide personal data about people like their vehicle registration number, which can be used to identify individuals: for example, the owner. For this reason, the use of CCTV is regulated by data protection law.
As CCTV can be invasive, it is advised that you conduct a data protection impact assessment to objectively determine whether using CCTV is necessary for your business, and proportionate to the reason you are using it. You should also have a clear policy on handling the information collected by surveillance, and how that information is used and disclosed.
It’s important to ensure the access to the information recorded is restricted and that the information is only used for its intended purpose. The regulator recommends that where necessary and possible, the information is encrypted – as this prevents unauthorised access to the images.
If your business stores the information on a cloud computing system, it is essential that you ensure this system is secure. Additionally, viewing live images on monitors should be restricted to the operator or authorised person, and only when necessary. An example of when this would be necessary would be if the surveillance was used to monitor for health and safety purposes.
There are also important restrictions on your ability to disclose the information you obtain through surveillance. Whilst it would be a breach of data protection to disclose CCTV information to the media, it is lawful to disclose the information to the police to prevent and resolve crime.
Similar to personal data collected by other means, individuals have access rights to any information held regarding them. To allow you to comply with any access requests, it is advised that you store the information systematically to enable easy access. Again, you should only retain this information as long as is necessary for your specified purpose.
One key difference that applies when you collate information by way of CCTV, is that you must let people know that surveillance is in operation. This can be done by way of a written notice in the area covered by the CCTV. This must be clearly visible.
You can access the ICO’s full code on surveillance here.
How does using Skype or Microsoft Teams for business affect data protection?
Skype and Teams are a communication software which retains information it collects. As this is stored on a cloud computing server, you need to ensure the service providers can protect any personal data is stores as a result of your business usage.
Considering both software’s are not end-to-end encrypted, it is not a secure and protected software. Due to this inability to ensure security of personal data, you should consider putting safeguards in place to ensure the security of information transmitted via the software.
How does data protection law affect your business’s use of third parties and subcontractors?
Due to your data protection obligations, you will need to ensure there are systems in place which can allow you to assess the risk of privacy breaches when using third parties and subcontractors.
If the third party or subcontractor will be processing personal data when providing services to you or even the customer directly, it is advisable you carry out a data protection impact assessment to balance the risk of sharing data and not sharing the data. As part of this assessment, you may consider the adequacy of the measures taken by the third party or subcontractor for protecting personal data and complying with other data protection regulations.
To comply with the principles, you should also ensure the individuals are informed about how the data will be processed, why, and by whom. One way to achieve this is to use a privacy notice.
If, however, the third parties or subcontractors are only processing personal data on your behalf (for example, outsourced payroll function), the party is considered a ‘data processor’, and the data processor has direct obligations under the GDPR.
If you are using a data processor, you should provide strict instructions on how the third party or subcontractor should process the information, and you should require appropriate security measures to be taken to protect the data. You can achieve this by way of a data processing agreement.
Considering you will be entering a written contract with the third party or subcontractor acting as the data processor, you could limit your liability against privacy breaches by stipulating that you are not liable for any breaches which occur due to the act or omission of the other party.
What is data protection tokenisation and how does it work?
Tokenisation is where sensitive data is replaced with unique identification symbols. These symbols retain all the critical information about the data without posing a risk to its security. Tokenisation works by a clear text data value going into a secure database, called a vault (or dictionary), where it is encrypted. In its place you are given a token. An index stores the real data value and its token, and the original piece of data can be found by presenting the token to the index. This differs from encryption, where a mathematical algorithm changes the data value into the token.
Tokens are particularly secure because if a token is stolen there is no way of turning it back into the real data value without access to the encrypted secure token vault. Tokenisation and encryption do not have to be security alternatives, they can complement each other.
Tokenisation is used widely for mobile payments as smartphone-based payment applications store tokenised versions of your credit card details in a secure chip on your device or in the cloud. This works by when you go to make a payment the phone application authenticates you via fingerprint scan or passcode and sends the card token and a cryptogram to the seller’s point-of-sale terminal, which passes them to the credit card’s network. The credit card network then authenticates the token and the cryptogram and forwards them to the bank that issued the card. The bank decrypts the token, determines its authenticity, links it to your real account number and authorises the payment.
What is a data protection adequacy decision?
An adequacy decision looks at whether there is an adequate level of data protection when transferring data across borders. In the EU the adoption of an adequacy decision involves:
- A proposal from the European Commission
- An opinion of the European Data Protection Board
- An approval from representatives of EU countries
- The adoption of the decision by the European Commission
The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to the third country to which the adequacy decision relates, without any further safeguard being necessary. Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay.
On 28 June 2021, the European Commission adopted adequacy decisions for the transfers of personal data to the UK, under the GDPR and the Law Enforcement Directive.
Can a data protection officer (DPO) be prosecuted?
It is up to the controller or processor to demonstrate compliance with the GDPR, the DPO is not personally responsible for or liable for any non-compliance with the GDPR. The DPO should not be dismissed or penalised by the controller or the processor for performing his or her tasks, according to the GDPR. DPOs are however still liable for non-compliance with general employment, contracts, civil and criminal rules and so can be fairly dismissed on grounds related to poor performance of DPO functions.
If DPOs have inadequate resources to perform their data protection functions and have raised this with data processors and controllers and no action has been taken to improve this, the DPO’s role is likely to be considered less responsible for any infringements.
Can a data protection officer (DPO) be a director?
There is nothing preventing a director from becoming a DPO, as long as a DPO is not expected to manage conflicts of interest and competing objectives that could result in data protection taking a secondary role to business interests. To avoid conflict a DPO should not also be a controller of processing activities (e.g. head of Human Resources), not be an employee on a short or fixed term contract, should report directly to top management and should be responsible for their own budget.
How to report a data protection breach and who this should be reported to
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It may be that the breach will need to be reported to the Information Commissioner’s Office (ICO). Not all data protection breaches need to be reported, the likelihood and severity of risk to people must be considered first, if you are unsure, you can use the ICO’s self-assessment tool. If there is a personal data breach and you decide that it does not meet the criteria needed to report it, you should still formally document why you have taken this decision in case this is challenged in the future.
If the breach does need to be reported this report should be made by the data controller to the ICO without undue delay and, where feasible, not later than 72 hours after having become aware of the breach. If the breach is reported after 72 hours of the breach reasons for delay should also be submitted to the ICO.
The report should describe the nature of the personal data breach, if possible, with the categories and approximate number of data subjects and personal data records affected; the name and contact details of the DPO, describe the likely consequences of the personal data breach and the measures taken or proposed to be taken by the controller to address and reduce negative effects of the personal data breach.
How should your business handle data protection for deceased individuals?
Any promise to keep information confidential should last beyond death, and dealt with sensitively, but legally speaking the GDPR does not apply to data belonging to the deceased. Recital 27 of the GDPR says ‘This Regulation does not apply to the personal data of deceased persons.’
What are the data protection implications if your business uses body worn cameras or dash cams?
The Data Protection Commissioner has confirmed that as the image of a person recorded by a dash cam allows for the identification of an individual it does constitute personal data under the GDPR, and so motorists using a dash cam are likely to be a data controller and so must comply with data protection law. This means that in order to be transparent, which is a fundamental principle of data protection, any motorist using a dash cam should clearly display a visible sign/sticker on and/or inside the vehicle indicating that filming is taking place and provide certain details (either verbally or by way of a policy sheet) concerning the use of the data.
Further, motor insurance companies seeking dash cam footage of an incident in relation to a claim will likely become a separate data controller once the footage is handed to them and they would also need to comply with data protection law. There is also a joint-controller relationship where an insurance company incentivises drivers to use a dash cam to claim lower insurance premiums.
If your business uses dash cams or body worn cameras it is advisable to have a dash cam policy identifying the lawful basis for the processing of personal data collected from dash cams focusing on why that processing is necessary for the purpose it aims to achieve. Any material recorded must be securely stored and access should be restricted to authorised individuals who have been trained on data protection. Image sequences must not be altered in any way in case they are required for evidence.
Data Protection and the Information Commissioner’s Office (ICO)
Does your business need to pay a fee to the ICO?
If your business is a data controller that processes personal data then you must pay a data protection fee to the ICO unless an exemption applies. Controllers who have a current registration (or notification) under the DPA 1998 do not have to pay the new fee until that registration has expired.
The data protection fee your business has to pay depends on its size and turnover. There are three tiers of fee ranging from £40 and £2,900, but for most organisations it will be £40 or £60. Charities and small occupational pension schemes only pay £40, regardless of their size. The payment is subject to a nil band for VAT.
What if someone complains to the ICO about your business?
If someone complains about your business to the ICO, the ICO has wide powers to progress this complaint.
In addition to monitoring your business for compliance, the ICO can enter your business premise to assess compliance with data protection. If the ICO serves an ‘assessment notice’ on your business, you will need to comply with any requests made by the ICO regarding access to information, equipment, or systems which process personal data.
Upon this assessment, the ICO can produce monitoring reports and overview reports. In addition to making recommendations as to how you can improve data protection, it can also take enforcement action such as imposing monetary penalties and bringing criminal proceedings against you.
Marketing and Data Protection
What does data protection law mean for buying and selling databases?
When you buy and sell a database, you will be processing the data stored within the database. This also applies when you licence a database because the licensee becomes a data controller in respect of the data.
Under data protection law, there is an obligation to inform individuals that their personal data is being transferred to the buyer or licensee. It is common for the buyer to do this by sending a ‘fair processing notice’ which is a written notice to the data subjects informing them of the change. If one party like the buyer is responsible for this, it is important that the purchase agreement includes a warranty ensuring the party will fulfil this obligation. Upon this change in data controller, you should also notify the ICO within 28 days of the transfer.
You should note that while ‘legitimate interests pursued by you or third parties’ is one condition which might make the transfer/processing permissible, it is not advisable to rely on this alone. In some cases it may be necessary by law to rely on consent (such as electronic marketing) or better practice to do so, particularly where the sale of the data is not part of the sale of a business.
When transferring the data, you should ensure the six principles are respected. For this reason, data cannot be sold if the sale would be incompatible with the original purpose specified to the individual when collected. Considering this, you are advised to inform individuals that the information you are collecting may be sold or licensed in the future or, where the original purpose communicated did not provide for future sale, seek the individuals’ consent by re-issuing them with a privacy notice informing them of the sale, within a reasonable period of time.
You should also ensure the transfer is done securely, and measures are taken to protect the data from accidental loss and theft. If you are buying the database, you should check the details of data on the database to ensure it is not excessive or unnecessary with respect to the purpose for which you require the data. It is also important to seek a warranty from the seller assuring the data is accurate and up-to-date.
When there is a sale of a database, it’s common for the buyer to include warranties expecting the seller to comply with any obligations under data protection law.
Common warranties include:
- The data protection law has been complied with in all respects
- The seller is entitled to transfer the database to the buyer
- The seller is entitled to use the database for the purpose it intends to use it
- The seller has no notice of any claims/complaints in connection with data protection law by data subjects of the database
- The seller has received no notice that the ICO or other regulatory authority considers the seller to have infringed any data protection obligations
If you are buying or selling a database, we have specialist solicitors who can give you clear advice on how to proceed with the transaction whilst complying with data protection obligations.
What does data protection law mean for using business email addresses?
Business email addresses can be used to identify a living person: that is, the person who uses that email address. This is personal data.
As the use of an individual’s business email address will usually be for the performance under a contract (e.g. employment contract), and for your legitimate interest for example, to conduct your business, then the use of business email address is usually lawful under the data protection regulation.
However, when you do use business email addresses, it is important that you respect the six principles for data protection.
It is also important that you do not use or reveal an individual’s email address for reasons unrelated to work. However, considering business email addresses are usually limited to use for day-to-day operation of the business, it is unlikely that a use of business email address would cause a breach of data protection regulation.
Does data protection law apply to business cards?
Business cards contain information about a living person and so the business card does contain personal data. It’s recommended that if you hold a business card containing the personal details of anyone other than yourself, you do not hand out that business card without that person’s permission.
However, if you are handing out the business card for a legitimate purpose such as the course of business, and the information concerns your employee, consent is not essential. In such circumstances, you should ensure you respect the six principles of data protection. This means the business card should only be used for a specified purpose, which would normally be to gain customers for your retail business and should not be handed out carelessly and excessively. Not only would this undermine the specified purpose for which the employee provided their personal data included on the business card, it would leave the employee vulnerable to cold-callers and viruses sent by way of emails.
Business to business (b2b) and commercial data protection
How is business to business marketing affected by data protection?
When marketing to businesses, you do not need prior consent from the business receiving the marketing. However, for good practice you must provide businesses with the option to opt-out of marketing.
How does data protection apply during a business sale or business transfer?
When you sell or transfer your business, during the disclosure and due diligence period, you may need to provide the buyer with personal data of the directors, employees, suppliers and customers of the business. Similarly, in an asset sale, it’s common for the customer list and suppliers to be transferred to the buyer, meaning their personal details will need to be provided. This is especially true of employees that will be transferred under TUPE. Given that you will be sharing personal data that you hold, you are processing the personal data.
To ensure you comply with your data protection obligations, it is important to notify the individuals that their personal data is being disclosed to the buyer. It is also good practice for the buyer to notify the data subjects that they have received the personal data. As you may be reluctant to notify individuals in the early stages of the sale, it is advised that you anonymise the personal data until you reach a later stage in the deal.
If you are selling your business by way of share sale, the identity of the data controller will not have changed. This means it is not essential to notify individuals about processing unless the new shareholder will be using the personal data for a purpose different to the specified purpose.
If you are selling by way of asset sale, both the seller and buyer should inform the individuals about the disclosure and receipt of personal data.
The manner of notice may simply involve publicising the transaction. However, if there is a personal data of customers with a relationship with the business, or if there is sensitive data being transferred, you should contact the individuals directly.
Like with processing personal data in other circumstances, you must meet the conditions of processing. Although it is common to rely on legitimate interests, you should take care when transferring personal data before completion of the sale as it will be harder to justify such disclosure at this stage of the transaction.
It is also important to remember that if the identity of the data controller changes as a result of the sale (common in asset sales, not so in share sale), the ICO needs to be notified about the change within 28 days.
When you are selling your business, you should also ensure security of all personal data held throughout the transaction.
Data protection and different kinds of businesses
Is data protection for small businesses different?
No – data protection is not different for small businesses. The obligations under data protection law are the same for every data controller. The only difference lies in the fact that a large business with an exceptionally high turnover will pay a £500 registration fee to the ICO.
Is data protection for online businesses different?
No – like with small businesses, data protection is not different for online businesses. If your business is all online, you would need to take extra care when processing personal data because of the vulnerability of hackers accessing the data, and the data being lost.
What does GDPR mean for life sciences companies?
The GDPR has broadened the definition of personal data to include pseudonymisation. This is when personal data is processed in a way that means the personal data can no longer be attributed to a specific individual without the use of additional information. The additional information must be kept separately and protected by safeguards to avoid the data controller and third parties being capable of re-identifying the individual.
As a result, life sciences companies will need to reconsider whether their systems of using coded data constitutes personal data under the GDPR. If a data controller or third party took reasonable means to identify individuals from using the coded data, took reasonable measures to access the separately stored information, and succeeded in identifying the individual, this would mean the coded data also constitutes personal data.
In such circumstances, you would need to notify the ICO about your data processing activity, pay a fee, and comply with the obligations under the GDPR.
How does data protection affect regulated firms?
Regulated firms must comply with their relevant regulated authority (such as the FCA for financial companies, and the SRA for law firms). Considering regulated firms process personal data when providing services, these regulatory authorities require the firms that they regulate to ensure compliance with data protection. For this reason, a regulated firm may already have the measures implemented to comply with the current data protection obligations.
An example of data protection compliance imposed by the FCA is the obligation on regulated firms to prove they have robust systems which mitigates the risk of financial crime (such as a breach of data protection), and has effective systems which detects, prevents and deters such crime.
However, as the GDPR has implemented new rules, regulated firms now need to take additional measures to meet the specific obligations under the GDPR. These new obligations include a requirement to provide users with the option to opt-in or opt-out of cookies and reducing the ability to include soft opt-in (marketing messages to existing customers). It is therefore advised that regulated firms take the time to review current data protection compliance and ensure that they are complying with all of the additional obligations under the GDPR.
What is the ePrivacy Directive and how has it been affected by the GDPR?
The ePrivacy directive regulates the use of electronic communication to ensure personal data is protected and secured. The introduction of the GDPR has broadened the scope of the ePrivacy directive by applying the same rules which already applies to phone calls, emails and SMS, to instant and social messaging, voice over IP (for example, Skype), web-based email, and other digital forms of communication.
One of the biggest changes is the standardisation of consent. The GDPR requires consent under ePrivacy to be:
- Freely given, specific, informed and unambiguous
- Expressed by a statement or clear affirmative action – silence, pre-ticked boxes and inactivity don’t count
- Easy to withdraw
- Easily demonstrated by the organisation
- In clear and plain language
- Distinguished from other matters
There is also now an obligation to simplify rules on cookies by giving users the option to ‘opt in’ or ‘opt out’ of cookie consent choices. In addition to this, when marketing by way of phone calls, you should ensure you display your number when calling.
The ePrivacy Directive will be replaced by the ePrivacy Regulation (not likely to come into effect until 2023) and updates on this will be provided in due course.
How does data protection law impact on any freedom of information requests?
Often a good start is making clear what the request is in the first instance. An individual may make a request for their own information (a subject access request under the Data Protection Act 2018) but may think this falls under the Freedom of Information Act 2000. You may need to clarify this when completing a request. There has always been a certain amount of tension between the Data Protection Act and the Freedom of Information Act, as the Data Protection Act exists to protect people’s right to privacy, whereas the Freedom of Information Act is about removing unnecessary secrecy, which can sometimes be incompatible aims.
If someone makes a request for information that includes someone else’s personal data, a balance needs to be struck between the case for transparency and openness under the Freedom of Information Act and the data subject’s right to privacy under the Data Protection Act, when deciding whether information can be released without breaching the data protection principles.
There are also a few recent changes to data protection law which have raised new considerations when disclosing personal data under the Freedom of Information Act. The new definitions of personal data and sensitive personal data will now need to be considered and if the information is now considered to be the personal data of a third party, public authorities need to look at whether disclosure would breach the data protection principles. However, the Freedom of Information Act has been amended by the Data Protection Act 2018 so that the ‘legitimate interests’ lawful basis is applicable to public authorities considering disclosure.
How does data protection law affect blockchain?
Businesses using blockchain must ensure that the specific technical design meets the requirements of data protection law.
Blockchain databases allow transactions between parties without having to disclose their identity directly to the contracting party or the public. Therefore, as European data protection law is not established for just transaction data, companies can lawfully use and process such data without being subject to specific data protection restrictions, as specific individuals cannot be traced from this data.
There may, however, be a potential need for data protection with some blockchain databases. For example, a study has shown that the Bitcoin address of a service user documented in the blockchain can be traced back to its IP address and the IP address can be traced back to a specific internet connection or connection owner. It is true that no names, addresses, telephone numbers, can identify individuals in the corresponding transaction data entries of the blockchain, and de-anonymisation of corresponding entries is possible but not common: they could be avoided if the technical design was adapted. To this extent, companies considering the utilisation of blockchain technology should bear in mind the principle of data protection privacy by design,
Blockchain databases may not be fit for purpose for privacy by design, in practice, while some of these principles (like transparency, privacy by default, data protection as integral part of application design) may easily be incorporated into the technological layer of blockchain applications, the effectiveness of data protection throughout the entire life cycle of the application, may be more difficult to achieve.
Blockchain databases could be used for the purposes of data protection, as by the purpose limitation principle personal data may only be collected for clear and legitimate purposes and not be further processed in a manner incompatible with these purposes. Compliance with the purpose limitation principle could be monitored by providing each piece of individual personal data with a meta-tag, (a unique electronic label that provides information on the nature and extent of the processing allowed for the personal data). A decentralised register managed as a blockchain could be used to make the processing of personal data by companies more transparent.
The European Court of Justice has ruled that EU citizens are entitled to a claim against internet search engine operators so that they remove any content retrievable from search results, if the information on the individual concerned was not significant to public interest. There is also now under the GDPR a “right to be forgotten” which is enforceable against any data controller. This being the case, blockchain mechanisms must remain editable, but a limitation to this is that trustworthy administrators are needed to alter the blockchain’s ledger according to present rules meaning it may not remain a decentralised peer-to-peer database.