It has been nearly 3 months since Europe entered a new age of data protection. Change, on a scale as comprehensive as this, has created a lot of confusion. The old regime (dating back to 1998 in the UK, before Facebook was even invented) was long outdated and no longer fit for purpose; now replaced by much stricter rules with harder hitting sanctions.
As individuals become better informed as to their rights, they acquire significant leverage against companies (including their employers) should they become aggrieved. Many are not equipped with budgets, time or resourcing, to handle the enhanced requirements of the new regime. The purpose of this article is to dispel some of the myths that have emerged around what you can or cannot do with personal data since the arrival of the GDPR.
1. I must have the consent of the data subject before I can process any of their data – WRONG.
Consent is merely one of the six lawful bases for processing personal data (set out in Article 6 of the GDPR) and is one of the hardest to obtain correctly. Businesses can process only the personal data they actually need (without consent) in order to perform a contract with the data subject (or to enter into a contract with the data subject) or to pursue their legitimate interests (provided that does not override the individual’s right to privacy).
2. GDPR does not apply to us because we only process personal data of business contacts in B2B contracts – WRONG.
Performance of any sale, supply or service contract will, fundamentally, involve the engagement of, and correspondence with individual staff at those contracting organisations, which will contain names and contact details (at the very least). This data must be processed fairly, in a transparent manner, kept up-to-date and appropriately secured and deleted when it is no longer needed (not retained indefinitely). Businesses should still have updated privacy policies, standard terms and conditions or supplier contracts, and internal policies for staff to implement their obligations to protect personal data.
3. GDPR does not apply to an individual’s business email addresses and telephone number – WRONG.
A business email address or telephone number that relates to an individual (i.e. not an office switchboard or reception desk number) is personal data relating to that individual, not the company. This is the case even if the email address is publicly available on a website. GDPR will apply to any processing of this personal data and procedures will need to be followed before it is processed.
4. Employers don’t need to review anything in relation to staff data because they need to process it – WRONG.
Processing personal data (including special category data, such as medical records) because it is required to perform an employment contract is a lawful bases for processing (under Article 9), but it requires complete and transparent adherence to the principles under Article 5. This means, all staff have the right to know how their personal data is processed, at the time it is collected. Employers should, therefore, produce a sufficiently detailed, accurate privacy notice (that sets out, as a minimum, what data they need, how they store it, which third parties process it on their behalf and how long they retain it) and issue this to all staff, which may require and prompt them to review how they process their staff data and what they communicate to staff. Staff can be required to sign, date and return copies for internal record keeping.
5. Employers can still carry out criminal records checks on their current or prospective staff – WRONG (well, partly).
Criminal record data is special category data and a blanket ban against processing by any organisation (other than those under official authority) is now in place under GDPR (Article 10). A carve out from this heavy prohibition has been added into the DPA 2018, which allows employers to run DBS checks against current or prospective staff only with their prior consent (which has to be freely given and cannot be a condition of employment or progression of their application). This consent will only be valid if the employer processing the data can demonstrate they have appropriate internal security measures in place to protect the sensitive nature of that data. If the employee or applicant simply refuses, the employer will need to take a view on their employment without having access to that data. This consent requirement does not apply to specific, limited lines of work (contained in the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975), which can still be processed (subject to enhanced security requirements).
6. Failure to comply will result in an automatic and immediate heavy fine – WRONG.
In most cases (depending on the severity and nature of the breach), a first offence will not result in financial penalty. The ICO has made it clear in their press releases and online guidance that they intend to work with organisations (in the short-medium term) as the new rules bed down. A range of sanctions is available to the ICO (as the UK’s official regulator), ranging from investigations, undertakings and compliance notifications to financial penalties. Failure to comply with ICO requirements following a breach will, naturally, prompt the ICO to take firmer action in future. The ICO cannot award compensation to aggrieved data subjects, however.
7. I don’t need to do anything where I send marketing communications with other information – WRONG.
Many organisations shoe-horn electronic marketing information into their invoicing process, customer feedback or usage guides. The basic rule is that you cannot market to customers unless you have their permission to do so (e.g. by email, over the phone or by online tick box). The one limited exception to this is where you have previously sold products or services to them and wish to advise them of related products or services (i.e. on a “you’ve dealt with us before, why not again” basis only), and you contact them using only the contact details you first obtained. These practices will not (in most circumstances) successfully bypass the marketing consent rules. If you have not yet revised your marketing consent processes, or segregated your marketing databases between those that have opted-in or opted-out, do not delay in doing so. The ICO has highlighted breach of marketing consent rules as a particular area of focus for enforcement as GDPR beds down.
The contents of this note are intended for general information purposes only and shall not be deemed to be or constitute legal advice tailored to any specific situation.
If you are interested in, concerned about or would like to discuss the contents of this note and how it may affect you, please get in touch with Tom Gibby or Martine Nathan who will be happy to advise.
This article is part of a series of legal update articles from our quarterly newsletter, to receive all future quarterly newsletters, please subscribe below: