Data protection

A data breach is not just the loss of personal data. It can include any breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data (for example, a cyber-attack which shuts down your systems could leave data unavailable, but not actually lost). Data breaches can affect any business, and can vary hugely in scope and seriousness. Ensure that your relevant teams are briefed on the situation (and if necessary bring in outside help), so you can take steps to:

• mitigate the effect of the breach (for instance, remotely wiping a lost device)
• reduce the chance of a breach happening again (consider technical measures and staff training)

You also need to consider what notification obligations there are on you:

• all data breaches should be logged in your internal data breach register
• if you are acting as a processor, you will need to notify any relevant controller clients (look at your contracts to see if there is a specific timescale for this)
• if the breach is likely to post a risk to individuals’ rights and freedoms, you must notify it to the ICO (the UK’s data protection authority) within 72 hours.
• If the breach involves personal data for individuals outside of the UK, consider if you need to notify data protection authorities in other countries. While the threshold (and timescale) for data protection authorities in the EU will be the same, other countries will have their own distinct requirements.
• If the breach is likely to result in a high risk to individual’s rights and freedoms, then you will also need to notify them without undue delay. As well as ensuring any notification includes the information required by data protection law, you will also want to consider what additional information or assistance you can offer.

More information on reporting data breaches (and a self assessment tool to decide what notifications to make) is available on the ICO website at https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches If you require assistance with a data breach, or advice on actions to take following a data breach, contact our data protection team.

Controllers and processors are terms used to describe how an organisation uses personal data. Confusingly “process” is also used to describe any use of personal data (including storage and deletion), so both controllers and processors carry out processing. A controller determines the purposes for, and means by which, personal data is processed. The more constrained a party is in how it can handle personal data, the less likely it is to be a data controller. Factors which can be looked at in determining whether a party is a data controller include:

• The level of instructions given to the party processing the data which determines the degree of independence a processor can exercise
• How closely a party monitors the processing activities
• The expertise of the respective parties
• The impression given to data subjects as to who has control over the processing of their personal data

If a party decides any of the following, it is most likely a data controller:

• whether to collect the personal data in the first place, and the legal basis for doing so
• what and whose personal data to collect
• the purpose the data is to be used for
• whether and who to disclose data to
• how an individual can exercise their rights in relation to the data (or whether an exemption is applicable)
• how long to retain the data for or whether to make non-routine amendments to it.

If a party (usually a service provider) doesn’t decide any of things, it is most likely a data processor in that situation. A company can be a processor on behalf of a controller in some situations, but a controller in its own right in other situations. For example a web-hosting provider may be a processor of the data it stores for clients, but a controller in relation to its HR data and the information it holds on its CRM. Processors have fewer responsibilities regarding personal data (as they are not responsible for decision-making) but they do have direct obligations under data protection law. Controllers appointing processors also need to ensure they have a contract in place which includes certain obligations on the processor. Data protection law sets out what those obligations must be, but the parties can negotiate the exact scope of those obligations. If you need to draft, or negotiate processor clauses, or are unsure if you (or a service provider) are acting as a processor, contact our data protection team.

It’s a common misconception that organisations need an individual’s consent to share their personal data. While in some circumstances consent may be required, organisations may instead be able to rely on the fact that the disclosure is necessary:

• for the purposes of a contract with that individual
• for the organisation (or another party’s) legitimate interests (and those interests aren’t overridden by the interests of the individual)
• to comply with a legal obligation
• to protect the vital interests of the individual
• to carry out a task in the public interest or in the exercise of an official authority vested in you

If you can demonstrate that disclosure is necessary for one of these purposes, you would not need consent. You should ensure that you record that you have made the disclosure, and the reason (from the list above) which you have relied upon. In addition, if you are relying on legitimate interests you should record both the legitimate interest and your assessment of how it impacts the interests of the individual. If you are unsure as to whether you can disclose personal data in a situation without the individual’s consent, contact our data protection team.

Although documentation alone is not sufficient to achieve compliance (much like health and safety, compliance is about practical implementation of your policies, not just paperwork), there are some basic documents which will be required:

• Notices. You must supply a privacy notice to anyone whose personal data you hold (subject to some exceptions). It’s worth remembering that employees are data subjects too, and you will need a privacy notice to set out how you use their data. You are likely to need a minimum of two privacy notices (an internal one for personnel, and an external one for everyone else).
• Contracts. If you use a “processor”, data protection law requires you to have a written contract with that processor, which must include details of the processing and some specific obligations on that processor
• International Transfers. If you transfer personal data outside of the EU and UK, you may need to have in place “Standard Contractual Clauses” or an “International Data Transfer Agreement” with the recipient, to ensure an equivalent level of protection for the personal data you are transferring.
• Data Controller Register. You must keep a record of your processing activities (and a general description of your security measures). While this obligation is reduced for organisations with fewer than 250 employees, any size organisation will have to keep at least a partial record. Keeping a full record is a matter of best practice and assists your other compliance activities.
• Data Breach Register. You must document any data breaches you suffer (even if they are not serious), the effects of that breach, and the remedial action you have taken.
• Special Category Data Appropriate Policy Document. The Data Protection Act 2018 requires that, if you process special category data (particularly sensitive types of data which includes health information) in certain circumstances (including for instance monitor sick leave or for other employment related reasons) you will need an appropriate policy document setting out how you comply with data protection principles and your retention and erasure policies regarding that data.

Those documents will need to reflect your actual activities and processes, they should not be “off the shelf” templates without any amendments. If you need any assistance in reviewing or drafting your compliance documentation, contact our data protection team.

The UK GDPR restricts certain transfers of personal data outside of the UK. Generally, this will relate to transfers to recipients established outside of the UK. To establish whether you can do this, you need to consider the following points as part of a “Transfer Risk Assessment”:

• What territory is the recipient in? Recipients in the EU, or certain territories which the EU and UK have deemed to have adequate data protection (such as the Isle of Man, but not including the USA) don’t need any further compliance measures
• Is there an applicable exemption? For certain occasional transfers, you may be able to rely on an exemption, especially where the transfer is for the benefit of the individual. If you get consent from the individual for the transfer, this also validates the transfer, but bear in mind the individual may withdraw consent at any time for future transfers and the consent must be validly obtained.
• Can I use standard contractual clauses (SCCs)? SCCs are issued and approved by the EU and the ICO (there are different versions depending on whether you want to use only the ICO version, or a combination of the ICO and EU versions). SCCs are templates and should not be changed, but certain information will need to be included. If the SCCs are agreed between you and the recipient, you will also need to review what supplementary measures you may need to put in place as well to ensure the data is protected.

If you’re not able to take rely on any of the points above, you may not be able to transfer the data outside of the UK. You should consider alternate providers or partners in the UK, or potentially anonymising the data before it is transferred (although you must ensure it is properly anonymised to ensure it is not subject to data protection requirements). If you need any assistance in relation to international transfers, or drafting or agreeing clauses for transfers, contact our data protection team.

Responding to a DSAR can be a time consuming, complex, and potentially expensive process. The ICO has detailed guidance on the process here https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/ but we’ve set out some key points below:

• Verify identity. You must ensure that you are responding to the right person, so take reasonable measures to verify the identity of the requestor, otherwise you’ll be at risk of a data breach
• Consider all the systems you actually need to search. This might include email, document management, archives, CCTV, and access logs. You may want to narrow these down by asking a requestor to specify which systems (from a list you provide) they would like you to search.
• Don’t delay. The timescales for responding to DSARs can be tight, especially where large volumes of data are involved. Acknowledge the request, verify the requestor’s identity, and clarify the scope of the request quickly (and potentially start a search process internally even before these steps are completed)
• Involve relevant people. While handling a DSAR should be led by someone who is familiar with data protection requirements and has a suitable level of responsibility, they may need to involve people from other teams, or support staff, to search the organisation’s records and provide context or help as needed
• Consider applicable exemptions. Certain information may also involve personal data of third parties, or legally privileged information, so you should go through a redaction or removal exercise to check what you are not required to provide.
• Providing the response. Ensure that you also provide the required accompanying information about the personal data (not just copies of documents). You should also ensure that you deliver the response in a secure way and don’t risk a data breach.

If you need any assistance in responding to a DSAR, or producing policies or processes to guide future responses, contact our data protection team.

Whether you can sell a marketing list in a compliant way will depend on a number of factors, you will have to consider:

• Who is on the list? Data protection law treats electronic marketing to individuals differently from marketing to corporates. Selling a list of individuals’ emails for marketing is unlikely to ever be compliant (unless the individuals have given consent to that buyer sending them marketing). Even if your marketing list is for business purposes, you should consider if sole traders or other individuals might be on the list.
• What type of marketing is being conducted? Data protection law treats marketing to individuals by email, phone or text differently from postal marketing.
• What is the context of the sale? If you are selling the entire business (so the marketing will be for the same business, just operated by someone else) this is more likely to mean a sale and onward usage is compliant.
• Can I justify the sale on the basis of legitimate interests? Unless you have suitable consents in place, it is likely that any sale will have to be on the basis of legitimate interests (and those interests must not be overridden by the interests or rights of the individuals). You should record those interests, and your decision-making in this respect, in a “Legitimate Interests Assessment” for future reference.
• What protection is being given? If you are satisfied that your sale is compliant, you should consider what protection you giving you buyer, and what protection your buyer gives you regarding their use of the list.

If you need any assistance in relation to a personal data transfer, including drafting contracts for sale, contact our data protection team.

Data protection law sets out obligations for the use of certain cookies, so to be compliant you will need to consider:

• What types of cookie am I using? Strictly necessary cookies (which are needed for the site to provide key functionality – like a shopping basket on an e-commerce site) don’t require consent or information, but all other cookies (including for analytics and preference purposes) will. The rest of this FAQ relates to those cookies
• Do I get proper consent? Consent under data protection law has to be unambiguous, so website visitors will need to click (usually on a consent banner) to accept. Continuing to browse a website once you’ve been told cookies are used is not enough. Your consent banner should also allow for visitors to consent to specific cookies (or at least types of cookie) rather than only having an “all or nothing” solution. Data protection authorities are also potentially moving to restrict the use of banners which make rejecting cookies too difficult, so bear this in mind.
• When do I drop cookies? Your cookie consent mechanism should ensure that cookies aren’t dropped until consent has been provided, otherwise if a visitor ignores your cookie consent banner they’ll still have cookies dropped on them even though they haven’t consented.
• What information do I give? You should also provide clear information on the cookies you are using, the purposes for which you intend to use them, any third parties who may also use that cookie information, and the duration of those cookies. This can be in a separate policy or as part of your cookie consent banner.

If you need any advice in relation to cookie consent, contact our data protection team.