Information and Data Protection Law

If you handle personal data (information that relates to a living identified or identifiable individual) then the way you and your employees handle that information is regulated by the data protection legislation.

You’ll be required to comply with UK GDPR for example if you:

• Keep or use personal data about your stakeholders, whether that is your customers, staff, suppliers or other individuals
• Have a website that collects personal data (e.g. via cookies, an enquiry form or subscribing to newsletters)
• Transfer personal data from the UK (or EU, if based there) to countries other than the UK or EU – whether that is other companies within your group, or other customers or suppliers overseas
• Process personal data on behalf of another company

DMH Stallard assists businesses in the assessment of whether information they hold is personal data under UK GDPR. From a legal perspective, the question is not always clear cut. For example:

• When assessing whether the information you hold about individual customers or clients is ‘personal’ remember that the data can include factors like IP address – it’s not limited to the more obvious identifiers like names and addresses
• The information must ‘relate’ to a living individual so we must consider the content of the information, the purpose or purposes for which a business is processing it and the likely impact that processing will have on the individual

UK GDPR applies to data processing carried out by businesses which operate in the UK, as well as to companies outside the UK if they sell goods or provide services to, or otherwise process personal data about, individuals in the UK.

You’re required by law to store and process personal data securely and to minimise the threat of personal data breaches. But irrespective of any legal obligation it makes commercial sense to implement data security measures across your organisation. When a breach occurs, there may be reputational damage as well as possible fines. Dealing with the fallout from an avoidable breach can also use up valuable staff resources. Some ways you can reduce the possibility of data breaches include:

• Staff training on IT security and data protection rules
• Protocols for data minimisation so that you don’t hold personal information for longer than legally required and reduce risk on the data you do hold
• Ensuring access to information is carefully controlled so that, for example certain categories of information are accessible only to staff above a certain seniority level
• Implementation of clear desk policies so that personal information is not left exposed
• Having clear rules about how staff handle information when they are working remotely
• Introducing specific measures for highly sensitive information, including medical information or employment history
• Practical measures like locking cabinets, ensuring windows and doors are secure and ensuring staff use strong passwords and that adequate firewalls and anti-virus software are in place

The data protection legislation is complex and in our experience there are a lot of misconceptions about the rules around UK GDPR compliance. A common misunderstanding is that to use someone’s personal information you always need their consent. This isn’t the case. The legislation sets out what are known as ‘lawful bases’ for processing data. Consent is one of six lawful bases. Other lawful reasons for processing data include where you need to process the information to fulfil a contract with the individual (for example to supply goods or services) or where you need to process the information to comply with a legal obligation.

Consent however is very commonly required. For example, you will need an individual’s agreement to use personal information when you want to use it in an intrusive way and for many types of marketing calls and messages. The ICO has issued multi-million pounds fines against companies responsible for nuisance (that is made without the consent of the recipient) calls, texts and emails since April 2022.

The ICO describes a personal data breach as a ‘breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. It’s important to note then that not every breach of personal data needs to be reported to the ICO.

When a breach occurs it’s for the business to make an assessment as to whether the breach is reportable or not. At DMH Stallard we assist businesses in this kind of situation, providing proportionate and pragmatic guidance on how to handle the breach.

The key consideration is the likelihood and severity of the risk to people’s rights and freedoms following the breach. If it’s likely there will be a risk, then you must report the breach to the ICO. If there is no likelihood of risk to the individuals’ rights then instead of reporting the matter, internal measures such as logging the breach and strengthening procedures in response may be more appropriate.

UK GDPR doesn’t oblige companies to have a formal data protection policy but in our experience most businesses appreciate the need to develop a data protection policy that’s comprehensive, easily accessible and regularly reviewed.

It’s important that any policy is tailored to the needs of the particular business. Data protection obligations will always vary from company to company depending on the nature of the business and the kind of information that’s being processed. Common provisions in a data protection policy include:

• Categorisation of the data processed and controlled by the company
• Details of the perceived risk to data posed by the company and its activities
• Identification of staff responsible for data protection and their contact information, including the Data Protection Officer(s)(DPO) and an explanation of roles and responsibilities of those handling data
• A list of data protection measures that are in place
• Data storage and back up procedures
• Details of how the company will lawfully process data (using one of the six bases contained in UK GDPR like consent)

To be clear, a data protection policy is not the same as a Privacy Notice – the latter is mandatory as you must inform data subjects about your use of their personal data.

A lot of the publicity around UK GDPR is about the enormous fines that can be imposed on businesses that breach the rules. But the potential for fines isn’t the only repercussion of a business breaching data protection law. We’ve seen in cases involving internationally renowned brands the reputational damage that can be caused by data breaches of any significance. In addition, individuals affected by the data breach can instigate proceedings against the business and obtain large compensation awards for financial loss as well as for the distress and harm they have suffered.