Perhaps the area where many businesses are most likely to risk falling foul of the law is data protection. Data protection is a big issue for businesses and for all of us as individuals and its importance and the focus upon it generally is ever increasing.

Businesses need to be aware of and comply with their obligations under the applicable legislation which includes, for businesses dealing with UK customers, the UK GDPR. In summary, the GDPR regulates how businesses and other organisations are allowed to handle or process personal information relating to their customers, employees and other individuals.

One of the key obligations under the GDPR is an obligation of transparency - businesses must be open in telling us what they do with our personal information in a privacy policy or notice.

What information must be provided?

The information to be provided may depend on the nature of the personal information being processed, how it has been obtained and other circumstances, but in summary information which must generally be provided includes:

  • details of the business processing the information and contact details;
  • details of all the purposes for which the information is used, including order processing and marketing and any other purposes;
  • the legal basis relied upon by the business for processing the information, including for example:
    • consent (which must be a freely given positive act of informed consent);
    • because it is necessary for the processing of an order for the individual;
    • because it is necessary to comply with a legal obligation of the business; or
    • because it is in the legitimate interests of the business and this is not outweighed by the interests of the individual when balanced against their fundamental rights and freedoms;

Where the information being processed falls under one of the special categories of sensitive information (relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life or sexual orientation) then unless the processing is necessary in connection with the employment of the individual or in very limited other specific circumstances, the express consent of the individual is likely to be required.

  • in cases where the personal information is shared with or transferred to any other person or organisation, the details of the persons or categories of persons receiving the information. Examples might include other group companies of the business or persons used to process information on the business’s behalf;
  • details of any transfers of the information by the business to any countries outside of the EU (which will be lawful only if that country has been ruled by the EU to have adequate protections or if approved safeguards have been put in place);
  • how long the information will be kept (or if this is not a specified period how this will be decided);
  • the rights of the individuals in relation to their information which will depend upon the legal basis relied upon for processing and the circumstances but include rights;
    • to access details of the information held;
    • to have any incorrect information corrected;
    • to request the information is erased (unless it is necessary for specified reasons for the business to keep the information);
    • in certain circumstances to request restriction of the processing or to object to processing;
    • to request a transfer of the information to someone else;
    • to withdraw consent (where applicable); and
    • to complain to the Information Commissioner’s Office;
  • where applicable, details of any automated decision making or profiling for which the information is used.
  • in circumstances where the information is obtained from a source other than directly from the individual concerned, details of the type of information collected and the sources from which it was obtained.

When must information be provided?

If information is collected directly from the individual it must be provided at the time the information is collected.

If it is obtained from a source other than the individual, it must be provided within a reasonable time but at the latest within one month of being obtained.

How must the information be presented?

The information must be presented in a way which is transparent and honest, using clear and plain language which is readily understandable and easily accessible for its target audience.

It must also be presented concisely which may mean providing it using a layered approach where short notices relating to a particular point link to more detailed explanations or separating the information under headings into short sections which are easily identifiable and digestible for the reader.

Why is it important

There are good reasons to treat privacy policies and compliance with data protection legislation generally very seriously.

The obligation to have a compliant privacy policy relates principally to the first of the six data protection principles which is concerned with lawfulness, fairness and transparency. The process of thinking properly about and understanding what personal information a business holds, how it uses it and what else should be included in the policy is however an essential starting point also for being in a position and ready to consider and address the obligations of the business in respect of the other five data protection principles.

Regulatory scrutiny is only likely to increase and the ICO has substantial enforcement powers including the power to order fines of £17,500,000 or 4% of worldwide turnover whichever is greater.

Breaches of the legislation can give rise to claims for damages from individuals affected, severe reputational damage and loss of trust and customers.

Also if the business is ever to be sold, not being able to demonstrate to a buyer that it has complied with the legislation could be a serious obstacle to the sale.

This is a summary of the relevant law for general information purposes only. It is not intended and should not be relied upon as legal advice.

If legal advice on any matter relating to data protection is required, please contact us on 08081668827

Copyright Sydney Mitchell. October 2023

 



 

UK Top Tier Firm 2022 Lexcel Practice Management Standard Birmingham Law Firm of the Year for 2021 Resolution Collaborative Family Lawyer
The Law Society Accredited in Family Law Conveyancing Quality Scheme