Hannah Nagel, an associate solicitor in Mincoffs Solicitors' commercial team who specialises in data protection, advises on five key points to help businesses stay compliant.
Most businesses will come into contact with personal data, which can range from basic identifiers, such as names, email addresses and IP addresses, to more ‘sensitive’ personal information such as medical records or religious beliefs.
Under the UK GDPR, businesses must handle this data responsibly, ensuring compliance with legal requirements to protect individuals’ privacy and security.
1. Your customers need to know what happens to their data
Not only do customers want to know how you will handle their personal data, it is also a legal requirement under the UK GDPR. This is called the ‘transparency principle’.
You must also have a lawful basis, such as legitimate interests or consent, for processing their personal data.
You should be proactive and tell your customers what you’re doing with their data and why, and what lawful basis you are relying on to do so. This is best communicated via a privacy notice.
2. Get ahead of your data protection obligations to save time and money
We recommend viewing data protection compliance as an investment in your business’ future. This investment can help reduce the risk of data breaches and complaints resulting from non-compliant practices, which can save time and costs.
Complying with your data protection requirements can also result in inadvertent advantages for your business. For example, another key principle of the UK GDPR is ‘storage limitation’, which means that you must not keep data for longer than necessary. Limiting data storage in this way can make it quicker and easier for you to find what you need.
At the outset of a project, data protection impact assessments (DPIAs) are a useful tool to help organisations identify and mitigate risks.
3. Be aware of the eight rights of individuals
One of the most well-known rights is the ‘right of access’ which is often exercised as data subject access requests (SARs). However, there are eight data subject rights to be aware of: the right to be informed, to access, rectify, erase, restrict processing, object, data portability and rights in relation to automated decision-making, including profiling.
Your organisation must comply with these rights and requests (including SARs). We would recommend that you seek legal advice if you are unsure how to comply.
4. Consider any third parties that may handle personal data on your behalf and make sure you have agreements in place
If you use any third-party payment providers, CRM providers, payroll providers or analytics services, then it is important to consider that there is a data processing agreement in place.
The law stipulates what must be included in a data processing agreement. For example, the contract must state the processors’ responsibilities such as: only processing personal data on documented instructions from the controller; taking appropriate security measures; and returning all personal data when the contract ends.
5. Pay the annual data protection fee to the ICO
Under data protection law, most businesses handling personal data must pay a data protection fee to the Information Commissioner’s Office (ICO) and you may be subject to a fine if you don’t pay.
In our view, it is worth the investment into compliance as the consequences of noncompliance can be significant. Aside from reputational damage, the ICO can also award fines of up to a maximum of £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
In an increasingly data-driven world, now more than ever is the time to invest in your business’ data protection compliance.
To speak to a data protection solicitor, call our commercial team on 0191 281 6151 or email Hannah Nagel, associate solicitor at hnagel@mincoffs.co.uk
www.mincoffs.co.uk