All businesses handle data. Here’s what you need to know to stay on the right side of data protection regulations.
Agne Zasinaite and Rachel Gillan are solicitors in MacRoberts’ Intellectual Property and Commercial Contracts Team. In this article, they cover the basics of data protection for your business.
Processing Personal Data
Employers gather various types of personal data related to their employees, customers and clients. Employee data includes names, addresses, pay information, absence records, medical information, emails, disciplinary and grievance matters. Similarly, client or customer personal data includes names, billing addresses, email addresses. When handling this personal data, you must comply with data protection laws. Specifically, using Privacy Notices and Cookies Banners are important for legally compliant businesses.
When processing personal data, be transparent about what you’re doing with the data, why you need it, and who it will be shared with. Provide a Privacy Notice when you collect personal data from users. This Privacy Notice should go on your website so people can see it and access it easily.
The Privacy Notice must be concise, clear, and easily accessible. It should include certain information, i.e. the lawful basis for processing data, where the information will be shared, and whether any automated decision-making or profiling will take place. Additionally, you should review your Notice often to ensure they continue to be fit for purpose and legally compliant.
The ICO (the UK data protection regulator) has provided a useful template for businesses to create their own Privacy Notice.
If your business has a website, it’s important that you understand cookies and what the related legal requirements are. The Privacy and Electronic Communications Regulations (PECR) contains the rules for cookies use on websites.
The ICO suggests the following measures in order for businesses to be legally compliant:
- the user must take clear and positive action to give their consent to non-essential cookies – this means the previous approach of assuming consent from website use is no longer legal;
- you must inform users clearly about what your cookies are and what they do before they consent to them being set;
- if you use third party cookies, you must clearly and specifically name who the third parties are and explain what they will do with the information;
- you can’t use any pre-ticked boxes (or equivalents such as ‘on’ sliders) for non-essential cookies;
- you must provide users with controls over any non-essential cookies, and still allow users access to your website if they don’t consent to these cookies;
- ensure that any non-essential cookies are not placed on your landing page. Similarly, ensure that any non-essential scripts or other technologies do not run until the user has given their consent;
- disable all non-essential cookies (these include Google Analytics and Facebook’s pixel) until the user specifically enables them. This approach is recommended by the ICO – see their cookie banner here.
Benefits of legal compliance with data protection
There are lots of benefits you will get from being legally compliant in processing personal data. These include:
Protect your profits: The potential fines for non-compliance with data protection laws are very high: up to 4% of your annual worldwide turnover or £17m, whichever is higher.
Protect your reputation: We’ve seen the negative press coverage when organisations get it wrong. It can be very damaging to reputation and goodwill (Data Analytics and British Airways come to mind!).
Compliance is key: Good data protection and compliance are easy to sell to customers.
Written by Agne Zasinaite and Rachel Gillan, solicitors in MacRoberts’ Intellectual Property and Commercial Contracts Team.