Data Protection in Outline
Data Protection in the UK is governed by a complex framework of laws, namely the: General Data Protection Regulation 2016/679 (“GDPR”), the Data Protection Act 2018 (“DPA”), the E-Privacy Directive 2002/58/EC and the Privacy Electronic Communication Regulations 2003 (“PECR”).
If your organisation processes personal data and is either established in the European Union or offers goods or services to residents of the European Union, then your organisation will need to comply with these data protection laws.
If you would like any guidance on data protection laws or have any questions about the services we offer, then please get in touch.
Policies and Procedures
The GDPR requires organisations to implement policies and procedures, and create records to demonstrate compliance with their obligations under GDPR.
- preparing privacy policies and cookies policies appropriately to inform data subjects (customers or visitors to your website) how you organisation processes personal data;
- creating and maintaining internal policies that address your organisation’s obligations under GDPR in key areas such as data subject rights, data breaches and data retention;
- maintaining records of your organisation’s processing activities, consents obtained from data subjects and security breaches; and
- producing records of decisions made by your organisation when conducting exercises such as privacy impact assessments, personal data breach assessments, and whether to designate a statutory data protection officer.
Please contact us if you would like any support preparing these policies, records or documents.
Consent under the GDPR must be “freely given, specific, informed…” and data subjects must give a “clear affirmative action” to demonstrate consent. The revised definition of consent under GDPR has had a significant practical impact on organisations seeking to rely on consent to process user data.
For example, organisations need to keep consent requests separate from their terms and conditions, and the use of pre-ticked boxes to obtain data subjects consent is no longer a valid method (however, see the exception for E-mail Marketing below). It is also no longer acceptable to obtain consent on behalf of another company (such as a media partner), without specifically naming that party in the consent request.
We can advise you on whether your organisation requires consent to process personal data, and if so, how appropriately to obtain and record those consents.
Data Security Breaches
The GDPR defines a personal data breach as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” It is likely that if the personal data held by your organisation is in any way compromised, then there may be a personal data breach.
Depending on the severity of the breach and its impact on the affected data subjects, your organisation may have a duty to report the breach to the ICO within 72 hours of becoming aware of the breach. The report to the ICO must also contain certain information in order to comply with your reporting obligations under GDPR.
Where the breach is severe enough and grabs the attention of the ICO, the ICO may investigate and commence enforcement action against your organisation. Aggrieved data subjects may also pursue damages claims against your organisation via the civil courts for any harm suffered as a result of the breach.
We have significant experience advising on matters related to data security breaches including assessing the impact of breaches, determining whether breaches need to be reported to the ICO, compiling those reports, and representing and defending your organisation against any consequential action commenced by the ICO or data subjects.
Contact lists containing e-mail addresses are valuable data for any organisation. It is how many organisations contact potential customers to promote their businesses.
The law of e-mail marketing is governed by GDPR and PECR. E-mail addresses will almost always constitute personal data (as it contains the individual’s name and is used to identify individuals online) and therefore must be processed in accordance with the GDPR.
PECR supplements the GDPR, and provides further clarity on organisations’ obligations in respect of e-mail marketing to personal emails.
We are experts in both PECR and GDPR and can assist you in understanding and complying with these complex laws.
Please click here to email Simon Halberstam, Head of Technology Law, or call 020 3206 2781.