LS Legal Solicitors

Data Protection Legislation

Everyone in charge of using personal data must adhere to rigorous data protection rules and regulations, which include but are not limited to EU GDPR, UK GDPR and the Data Protection Act 2018. Depending on who is using the personal data and whose personal data is being used, companies and individuals in the UK must ensure that the data is utilised according to the data protection principles.

There are various examples of how companies may be penalised for breaching the rules, for example, the ICO fined a facial recognition database company £7,5 million and ordered UK data to be deleted and fined a home improvement firm £200,000 for making more than half a million unsolicited marketing calls.

What are the requirements?

When processing personal data, the following principles should be adhered to:

Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability

This is not a tick-box exercise. The principles are broad, making it difficult to know precisely what is allowed and what is not. Therefore, careful planning needs to be done to avoid breaching the rules.

Principles in more detail:

• Lawfulness, fairness, and transparency - You must collect, use, and keep personal data in a lawful, fair, and transparent manner. It would be best if you had a privacy notice so that the persons whose data you are using are aware of how you use their data.
  

• Limitations on data use - You may only use data for clearly specified reasons. You can only use the data for a new reason if it is compatible with the original reason, if you obtain consent or if it is allowed by law.
  

• Minimisation of data collection and storage - You must only collect and retain data that is relevant and essential for the reasons stated previously. Data processing must be adequate, relevant and limited to what is necessary; note that these terms are not defined.
  

• Accuracy - When collecting data, you have to ensure that it is correct and maintained up to date throughout the time you store it. Any inaccurate or out-of-date data must be updated.
  

• Limiting data storage - You should only store data for as long as it is needed for the purposes indicated and securely destroy it once it is no longer needed. We can assist you in drafting a retention policy that specifies how long each type of personal data collected should be kept.
  

• Integrity and confidentiality - Personal data must be stored safely. We can assist you with the drafting of codes or policies in relation to the security principle.
  

• Accountability - This is to make sure you take responsibility for processing and retain a record of compliance. Policies and processes must be used to document how you follow the other principles.
  

Understanding the data protection legislation may be challenging and many believe it simply applies to personal information about their employees. However, it also includes personal data of your customers and suppliers, as well as any data you store or manage for a third party.

If you do not comply with data protection legislation, you may face potentially disastrous consequences, including a fine of up to €20 million (£17.5 million), or 4% of worldwide turnover for the preceding financial year. Individuals may file claims against you if you abuse their personal information and you may be held liable. Data breaches can potentially severely harm your brand. Yet, if you prepare the necessary documentation and obtain advice, you can earn your customers' confidence and turn it into a selling point.

LS Legal Solicitors are committed to helping all of our clients adopt best practices in the business. Reach out to the experts for specialist advice.

Rights of a data subject

Data subjects enjoy the following rights:

the right to be informed
the right of access
the right to rectification
the right to erasure or restrict processing
the right not to be subject to automated decision-making

Please be aware that there are some exemptions and restrictions that may be applied which may prevent a data subject from exercising its rights, for example, legal professional privilege ("litigation" and "legal advice" privilege).

Confidentiality

The major distinction between data protection and confidentiality is that data protection protects data against destruction, loss, and illegal access, whereas confidentiality allows only authorised individuals to access data. Data protection aids in maintaining confidentiality, if you may.

In practice, this menas that all information, whether on paper, computer, visually or audibly recorded, must not be revealed without the agreement or consent. It can also mean that the information cannot be used to the detriment of the person who provided it without his consent.

Almost every organisation will deal with and store sensitive information.

In most cases there will be data and information that must be kept safe and classified, whether it is a secret restaurant recipe or sensitive customer data.

However, it is not uncommon for sensitive material to leak in some form or another.

When it comes to running a business, the implications of a violation of confidentiality may be disastrous. As a result, it is critical to understand when these events are likely to occur, the possible implications, and what you can do in the aftermath.

Moreover, to keep your confidential data safe, it is always advisable to execute a non-disclosure agreement before disclosing the information to any third party. This will assist immensely should enforcement of confidentiality be necessary.

Our team at LS Legal Solicitors focuses on assisting small and medium-sized enterprises with these and other legal issues.

When can confidential information be shared?

You may disclose confidential information if it is directed by law or requested by a court, for example.

Examples of workplace confidentiality breaches

1. Disclosure of employees' personal information

During the application and hiring process for a job, employees disclose a lot of personal information. Bank details, passport copies, home addresses and educational history, are examples of such data.

Employers are forbidden from exposing their workers' personal information without their permission. A breach of confidentiality may occur if this information is not kept confidential.

2. Cyber attacks

Businesses all across the world are victims of data breaches. Unfortunately, as social media and the internet have grown in popularity, so have cyber attacks.

Mistakes that can lead to a breach can be avoided by security measures, cybersecurity training and workplace internet use standards.

A breach of personal information can occur in any situation, not just online, that lacks sufficient privacy and security requirements.

3. Transferring the data outside of the UK or EU

Often it is not thought of, but there are restrictions related to transferring personal data outside of the UK and EU. The international transfer has to be necessary and based on either the law ("adequacy decision") or appropriate safeguards in place, such as an agreement with the recipient, which will ensure that the personal data will be kept safe. Sometimes you can transfer data in special circumstances. This is often missed out and not adhered to, leading to breaches.

How can we help?

We can assess your organisation's processing and the types of data processed and conduct an assessment. From there, we will be able to offer a tailor-made solution that ensures that your obligations are fulfilled and the risks of a breach are minimised if not eliminated.

We will identify the risks and prepare specific advice. We will also draft all the necessary policies and documentation to make sure that your compliance is recorded.

Most often, these are the types of policies we would draft for a client:

Privacy policy
Data retention policy
Policy on data breach
Processing notices
Template subject access request and log
Cookie policy

Depending on your organisation and what data is being processed, there may be a need for additional policies and documents.

Contact Us

LS Legal Solicitors are well-versed and highly experienced in providing advice and assistance in data protection and confidentiality matters. We appreciate that many of the requirements may seem complex and onerous. However, we shall endeavour to make your experience as smooth and stress-free as possible.

For the quickest response, please WhatsApp or call us on +44 (0) 75 3595 9450. You can also contact us via email at info@LSLegaLUK.com or use the contact form to discuss your requirements further or arrange an appointment with one of our experts.