Data protection in the UK

Data Protection Lawyers

Following the implementation of GDPR, smaller businesses, particularly with suppliers, customers and users in the EU, need to pay much closer attention to compliance. Even smaller companies that may not expect to be on the ICO’s radar, may well find that customers, business partners and investors expect them to demonstrate their compliance.

What do smaller businesses need to be aware of? We look at:

  • What is the current legal framework for data protection?
  • Steps even small business should take
  • Why invest in data protection?
  • How we can help

What is the legal framework for Data protection?

The Data Protection Act 1998 governs the use of personal information by businesses and other organisations. Anyone who processes personal information must comply with the 8 principles, which include being clear on the purpose for processing, record-keeping, upholding individuals rights and importantly, data security.

Since 2010, the ICO has had the power to issue monetary penalties up to a maximum of £500,000 for serious breaches. Companies with low turnovers are not exempt.

Prior to Brexit, the GDPR had direct effect across all EU member states and businesses.

Protection by design and by default

The concept of “data protection by design and by default” requires organisations to set up their processes, policies, systems and services around compliance requirements. It is a conscious effort to move away from ‘tick box’ compliance (such as having a standard privacy policy and some standard consent buttons on the website) to a more rigorous approach safeguarding privacy interests of consumers, patients, employees and other individuals.

Since the GDPR first came into force in May 2018 Data subject rights have expanded and a full spectrum of reporting obligations introduced. However, what concerns businesses  are the new monetary penalties  which raise the prospect of organisations in serious breach with incurring potential fines of the higher of 20 million Euros or 4% of annual global turnover. This is not to mention the aggravation and bad publicity which can follow a failure to comply with data protection rules.

Brexit – What changed?

The GDPR was retained in UK legislation post-Brexit by the Data Protection Act 2018 and the “UK GDPR.” In short, while the UK parliament has the theoretical right to depart from the EU’s data protection rules, all indications are that in the short to medium term the former obligations will remain in place so that there will be little practical change.

Data Protecction for small businesses

If you haven’t done so already, you urgently need to review your data protection policy, security and procedures for responding to data breaches. We outline the minimum steps every business should take, no matter how small their turnover.

  • Privacy policies – These need to be updated and publicly available on your website. A privacy policy is a public statement of how your organisation applies GDPR’s data protection principles to processing data. It should be clear and concise and easily accessible. As well as making your privacy policy available on your website, you also need to make it clear how data will be used and by whom (no pre-ticked boxes) and make it easy to unsubscribe from marketing at any time.
  • Data protection compliance officerA Data Protection Officer is tasked with monitoring compliance with data protection law, training employees and handling complaints. The requirements to appoint a data protection compliance officer and to complete a formal processing impact assessment are imposed on organisations engaged in “high risk” activities or which process special categories of personal data (such as health records) or engage in significant profiling or monitoring of individuals.For many smaller businesses it may not be necessary to appoint a DPO. However, with the number of complaints from consumers received by the ICO on the rise, it may be worth appointing a DPO to stay on top of your data compliance and minimise the risk of fines. You must publish contact details for your DPO on your organisation’s website, make them easily accessible to your employees and communicate them to the ICO.

Record keeping to protect against GDPR claims

Due diligence includes mapping any data flows, identifying the data security structures and defining access rights and authorisations etc. This basically comes down to carrying out something similar to a smaller scale impact assessment.

Security is one of the key operational requirements of the law. This applies not only to the technical security measures that an organisation has to put in place to secure personal data it stores but also the organisational measures – access rights, access controls, authorisation levels, dissemination and access policies, monitoring, audits, training of staff etc.

Data processing agreement?

These are required in any case where an organisation allows another organisation to access, store or use personal data records. Cloud computing providers, IT system services and support providers, data analysis services and other third parties that may have access to your consumer or employee data have to sign data processing agreements that comply with the requirements of GDPR.

Check that you have obtained adequate consent from data subjects. Failure to obtain correct consents and implement adequate data processing agreements will likely result in a call from the ICO. It is not worth risking a business-crippling fine.

Why invest in data protection?

There is a pattern emerging not only with the ICO, but other regulatory bodies such as the FCA. Rather than wait for a breach and then face penalties, regulators are looking for companies to take pro-active and positive steps to ensure compliance.

As GDPR sets a high standard, meeting its requirements will go a long way towards compliance with the privacy laws of almost any other country so it is worth taking the time to make your business compliant.

Many smaller businesses do not invest in becoming GDPR-compliant. The risks of not taking any action are only too clear in the ICO’s list of recent fines and the increasing number of larger companies succumbing to insolvency as a result of data breaches.

How we can help

Many of the compliance tasks can be undertaken primarily by your organisation internally. Carrying out the due diligence, documenting processes and systems, putting in place control systems, authorisation levels etc. and writing and compiling policy papers and records as required by the legislation are tasks that will require access to operational personnel information and would be time consuming.

We can assist with:

  • reviewing and commenting on operational documentation such as data retention policies, IT security policies, data sharing and access rights policies;
  • drafting or amending legal documentation such as the privacy policy statements, standard data processing agreements and data export agreements;
  • communicating with regulators (for example, if there is an audit, investigation or a complaint against the business or an individual); and
  • addressing data subject access requests, including what you do and don’t need to disclose.

We can also help with handling complaints, responding to contact from the ICO, and minimising the fallout from data breaches.

Whether you are only just getting around to sorting out your compliance or you don’t know what information you need to disclose in a subject access request we can assist. With reported data breaches on the rise the risk of an ICO penalty is higher. Please do call us to discuss any data protection concerns for your business on 0207 438 1060.

John Deane

John solves commercial problems for SMEs and their investors. It is said that he is unbelievably practical and seasoned in finding the right solution without too much fuss. He has an established reputation in the technology, art and media industries.

Let us take it from here

Call us on 020 7438 1060 or complete the form and one of our team will be in touch.