privacy policy lawyers UK

GDPR privacy policy compliance for business - are you in breach?

Most small and medium-sized digital businesses have been scrambling to get on top of all the operational changes that have come into place following the end of the transition period (31 December 2020).

Fast growth websites and mobile apps have grown sufficiently so that terms and conditions cobbled together from templates leave too much uncertainty.

 If a business has something to lose, it is motivated to remove the uncertainty of compliance-related loss by getting the certainty provided by specialised legal advice.

 GDPR and privacy policies are one significant change challenging businesses.  The critical questions are how to remain compliant now that the UK has left the EU? But what is GDPR, and what steps must you take to ensure that you're not in breach?

 Defining GDPR & other vital terms

As a UK business, it's essential first to get your head around a few GDPR-related definitions. Once you understand these terms, it will inform you about what steps you should take to become UK GDPR compliant.

What is UK GDPR?

GDPR stands for General Data Protection Regulation and was put in place by the EU to give EU consumers more protection from businesses using their personal data. In essence, the regulations ensure that businesses take adequate steps to protect personal data and be transparent with consumers about using their personal data.

 UK GDPR essentially takes existing EU GDPR and assimilates it into UK law. The harmonisation of UK law with EU GDPR was done to help minimise confusion for businesses on how to remain compliant with GDPR following the transition period and signal to the EU that the UK would still take GDPR and EU consumer data seriously. 

 The UK GDPR distinguishes between 'data controllers' and 'data processors' to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility. The UK GDPR defines these terms:

What is a Data Controller?

'Data controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Most businesses act as data controllers as they decide how they use customer data. For example, for marketing or to fulfil customer orders.

What is a Data Processor? 

'Data processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

For example, a printing and distribution company may be commissioned by another business (or an individual) to design and distribute flyers to several addresses. As the printing company has not chosen how to use the data (i.e. the addresses), they are simply data processors. 

(However, the printing company is also likely to be a data controller if they also collect data from their customers and store and use it for marketing and other activities.)

Why distinguish between data controlling and data processing?

According to the ICO, as a data controller, you are responsible for complying with the UK GDPR, and you must be able to demonstrate compliance with data protection principles. Complying with data protection principles includes taking the appropriate measures to ensure you carry out your processing according to the UK GDPR.

If you are a processor, you have more limited compliance responsibilities.

Why is GDPR important?

The use of digital tools to store and process data has rapidly become an everyday part of life, and few businesses are yet to migrate the way they store consumer data over to a digital platform. In an era in which hackers can now potentially access company files from across the globe, it is more important than ever for businesses to safeguard their consumers' data, and indeed their reputation, from such criminal activities. 

Further to this, a recent RSA report revealed that 62% of their respondents would blame companies for data breaches - before blaming the hacker - further evidencing why businesses need to understand the importance of being GDPR compliant. 

 The fines for businesses found to have data breaches are considerable - read on to find out more.

 How does GDPR affect marketing? 

The regulations that businesses must adhere to regarding marketing to prospective or existing customers have not changed since the transition period. There are three main areas of GDPR that businesses should be aware of to take the necessary steps to be compliant.

 Data Permission

As a business, you must have freely given consent from consumers to use their data - and you must obtain this consent unambiguously. It is no longer enough for businesses to include a small print at the bottom of a form with a provision to allow them to send marketing emails to the user. Instead, forms must include specific opt-in checkboxes which enable users to express particular interest in receiving marketing materials. 

 Data Access

Any customer data that you do hold must be accessible and revocable by that customer at any time. In practical terms, this means including clear 'unsubscribe' links at the bottom of electronic marketing materials such as emails.

 Data Focus

Any data obtained from customers must be necessary for your marketing. Necessary for your marketing means only asking for the data you specifically need; for example, as a retailer, you are unlikely to need a customer's date of birth to send them promotional emails about your new clothing range. So be sure to remove such irrelevant data from your opt-in forms.

 Can we still sell to international customers?

In short, yes. On 30 December 2020, an EU-UK Trade and Cooperation Agreement was signed, acting as a bridging mechanism that facilitates the continued flow of personal data between the UK and EU/EEA. This bridging mechanism will remain until 1 May 2021. If no adequacy decision has been issued by that date, then there is a further automatic extension until 1 July 2021, unless either party objects in due course. 

 If the UK is granted an adequacy decision, this will result in the ongoing free flow of data between the UK and the EU/EEA indefinitely (unless the adequacy decision is ever revoked). 

 To safeguard businesses against the possibility of an adequacy decision not being granted to the UK, the ICO recommends that UK businesses put additional transfer mechanisms in place when working with data from EU/EEA. Businesses can do this by implementing SCCs. 

 What are SCCs? SCCs stands for standard contractual clauses and were validated as an acceptable tool for facilitating continued data transfers between the UK and the EU/EEA by the Court of Justice of the European Union (Case C‑311/18).

 The following interactive tool on the ICO website can be used to generate the relevant SCCs for businesses, taking into consideration their position as a data controller (the party that decides how the data is used) or as a data processor (the party that processes data on behalf of the data controller). Link to generate SCCs for businesses.

Can we still share data with our partner companies?

From January 2021, data transfers from the UK will be subject to UK GDPR. As previously addressed, the UK GDPR incorporates the existing EU GDPR. As such, businesses will continue transferring data from the UK to any EU counterparts that they have (outbound data).

However, following the transition period, the UK's relationship with the EU will change to third-country status. The UK's change to third-country status will significantly impact the transfer of personal data from EU Countries to the UK (inbound transfers) – even if both the controller and the recipient of the data are part of the same corporate group. An incoming data transfer will only be able to take place if certain conditions are met (see Article 44, GDPR)

Whilst inbound data transfers are currently permitted under the EU-UK Trade and Cooperation Agreement, as mentioned above, this data bridge is temporary. It affords businesses the time to put in place any necessary safeguarding mechanisms if an adequacy decision fails to materialise.

For businesses that are part of multinational groups, international franchises or join partnerships, Binding Corporate Rules (BCRs) are one such mechanism. BCRs must be approved by the ICO (for UK businesses), and applicants must demonstrate that they have taken adequate steps to protect personal data, including data transfer throughout the group. 

Multinational groups must also identify their relevant new lead supervisory authority in each location that they are operating to approve their BCRs, respectively.

According to guidance from the ICO, businesses that share data internationally outside of the EEA will not need to make any provisions at this stage.

 What GDPR fines can I face if my business is in breach?

The GDPR contains substantial fines for failing to comply with its requirements, including fines of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.

Conclusion

For many UK businesses, GDPR compliance can seem like a minefield, challenging to navigate whilst also continuing business as usual. Our team of privacy policy lawyers at PAIL solicitors is on hand with 20 years of experience working with businesses to ensure GDPR compliance. 

We can work with you to help establish the necessary steps you must take to be compliant and can help you implement SCCs and BCRs with external organisations or international offices. 

To obtain accurate advice about your business' GDPR privacy policy status and how we can help, please contact us on (020) 7305-7491 or at peter@pailsolicitors.co.uk, and we would be delighted to assist you. The writer is an Internet and digital technologies + entertainment law specialist, owner and principal solicitor at PAIL® Solicitors. Peter Adediran's specialist niche areas of practice are digital media business SMEs and IP, contentious and non-contentious. (Charge rates may vary)

Useful Links

Website Terms and Conditions Lawyers

Privacy Policy Drafting

Mobile App Terms and Conditions