Is your business compliant with data protection laws?
It’s important for businesses to be compliant with data protection laws, the letters UK GDPR don’t have to be daunting to your business. Here are the things to look out for (and correct) in your privacy policy.
It’s 1998 or is it?
The first thing we look for when carrying out an audit of a business for data protection compliance, is a policy that references the incorrect legislation. The current data protection laws are the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. It is surprising how many privacy policies refer to the Data Protection Act 1998, which was repealed in 2018 and is no longer good law.
As an example, under the 1998 act, an individual (data subject) was required to pay a fee to find out what data a business (controller) is using (processing) about that data subject. Under the current legislation a fee isn’t usually payable unless it’s a repeat request or the request is manifestly unfounded or excessive.
Contact details
It may seem obvious, but a well drafted privacy policy must contain the data controller’s address. Use your postal address and an email address that is regularly monitored. Data subjects can then use this email address to exercise their data rights such as making a subject access request.
The information we collect and why
One of the important aspects of a privacy policy is to explain to the data subject what data you, as the controller of the personal data, hold and process. The controller would ordinarily explain how they obtained the data, the use of the data and why it is used.
Lawful bases
There are six lawful bases that a data controller may rely on for using the personal data including consent, performance of a contract, legal obligation (to comply with the law), vital interest (to protect someone’s life), public task (processing in the public interest) and legitimate interest (processing for the data subject’s legitimate interest or the legitimate interest of a third party). Usually, most data controllers rely on processing by consent or to perform obligations under a contract. This is mostly wrong as the correct processing basis is performance of a contract. In addition, Legitimate Interest provides the most flexibility in terms of the scope of processing that is achievable and is frequently more appropriate if there is some further marketing that will be done. Despite this flexibility the data controller is still obliged to conduct a Legitimate Interest Assessment. This may not seem important, but misuse of consent is problematic for businesses as it can be withdrawn at any time at which point the business will need to stop processing while it finds an alternative processing basis and communicates that to the data subject.
Data protection rights
Data subjects have certain rights in relation to their personal data. The rights should be briefly stated in the privacy policy and that data subjects can raise these with the data controller. Rights include the right of access (to find out what data is being processed and why it is being processed and to receive copies of the personal data), right to rectification (the opportunity to correct personal data that is not accurate), right to erasure (sometimes known as the right to be forgotten), right to restriction of processing, the right to object to the use of your personal data (to stop your data being processed), and the right to data portability which is when one organisation transfers data to another organisation. Whilst all of these rights are included in legislation some are absolute and some are qualified rights meaning that a data subject does not, in every instance, have the ability to exercise the right.
How long is your data used?
A privacy policy would usually explain how long the personal data will be retained, under data protection law, personal data should only be retained for as long as is necessary.
How to complain
Usually there will be contact details about how a data subject can complain, the ICO would also expect for their address, telephone number and website address to be included.
The ICO has launched a new tool to draft a basic privacy policy for small businesses. JMW’s specialist data protection solicitors regularly advise our corporate clients about data compliance, and we can conduct a review of your data protection policy or conduct a full audit of your businesses data compliance. We can also draft a more bespoke privacy policy.