Hannah Nagel, an associate solicitor in Mincoffs Solicitors’ commercial team who specialises in data protection, advises on five key points to help businesses stay compliant.
Most businesses will come into contact with personal data, which can range from basic identifiers, such as names, email addresses and IP addresses, to more ‘sensitive’ personal information such as medical records, information on someone’s racial origin or religious beliefs.
Under the UK GDPR, businesses must handle this data responsibly, ensuring compliance with legal requirements to protect individuals’ privacy and security.
Not only do customers want to know how you will handle their personal data, it is also a legal requirement under the UK GDPR. This is called the ‘transparency principle’.
You must also have a lawful basis, such as legitimate interests or consent, for processing their personal data.
You should be proactive and tell your customers what you’re doing with their data and why, and what lawful basis you are relying on to do so. This is best communicated via a privacy notice.
Some businesses fall into the trap of using a generic template or copying others’ privacy notices online, however, this runs the risk of non-compliance. By its very nature, the purpose of a privacy notice is to explain to your customers how your business is handling their personal data. Therefore, it is crucial that your privacy notice is tailored to your organisation.
We recommend viewing data protection compliance as an investment in your business’ future. This investment can help reduce the risk of, and time and cost of dealing with, data breaches and complaints raised by customers that can arise when effective practices are not implemented at the outset.
Complying with your data protection requirements can also result in inadvertent advantages for your business. For example, one of the other key principles of the UK GDPR is ‘storage limitation’, which means that you must not keep data for longer than necessary. Limiting data storage in this way can make it quicker and easier for you to find what you need.
Every business should proactively ensure that there is appropriate security for its IT systems in place. What is appropriate will depend on your business and the type of data processed, but it is usually a good idea to ensure you have up-to-date anti-virus software, a strong password policy and regular training for staff.
At the outset of a project, data protection impact assessments (DPIAs) are a useful tool to help organisations identify and mitigate risks.
One of the most well-known rights is the ‘right of access’ which many businesses will be familiar with as data subject access requests (SARs). However, there are 8 data subject rights to be aware of: the right to be informed, to access, rectify, erase, restrict processing, object, data portability and rights in relation to automated decision-making, including profiling.
Your organisation must comply with these rights and requests (including SARs). We would recommend that you seek legal advice if you are unsure how to comply.
If you use any third-party payment providers, CRM providers, payroll providers or analytics services, then it is important to consider that there is a data processing agreement in place.
The law stipulates that certain points must be included in a data processing agreement. For example, the contract must identify the controller and processor and the contract must state the processors’ responsibilities such as: only processing personal data on documented instructions from the controller; taking appropriate security measures; and returning all personal data when the contract ends.
Under data protection law, most businesses handling personal data must pay a data protection fee to the Information Commissioner’s Office (ICO) and you may be subject to a fine if you don’t pay.
In our view, it is worth the investment into compliance as the consequences of non-compliance can be significant. Aside from reputational damage, the ICO can award fines of up to a maximum of £17.5 million, or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
In an increasingly data-driven world, now more than ever is the time to invest in your business’ data protection compliance.
To speak to a data protection and privacy solicitor, call our commercial team on 0191 281 6151 or email Hannah Nagel, associate solicitor at [email protected].
