Data is a very valued commodity and has resulted in many cyber security breaches over the last few years with hackers looking to steal the data and/or tarnish business reputations. Technological development, particularly fuelled by Covid-19, has resulted in an ever increased amount of personal data being collected and stored digitally and the rush to do this may have made some systems insecure ; some companies advanced too quickly security is still catching up and others may not of advanced at all leaving them vulnerable.
UK Data Laws have been a topic of discussion in 2022 and this is still going to be a notable issue in 2023, with the new UK adequacy regulations, transatlantic data flows, and updated guidance regarding the UK’s International Data Transfer Agreement (IDTA). This saw very little movement last year and so we anticipate movement this year will be essential shinning a spot light again on this area of law.
If such data is stolen or lost, there may be serious compliance, financial and reputational consequences to businesses, especially those responsible for controlling and processing such data as such cyber security , vigilance and careful planning is ever more key to a businesses development.
Following Brexit, the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR), which implemented and incorporated the General Data Protection Regulation (EU GDPR), are the key instruments setting out the regulatory framework on data protection in the UK, including definition, principles and individual rights relating to personal data.
UK data protection laws apply to controllers and processors of personal data who are based in the UK; but also those based outside of the UK but deals with personal data of UK citizens.
Breach & consequences
What is a personal data breach?
This is defined as a breach of security relating to personal data that results in ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. For example, a private document is disclosed to the wrong recipient or a hacker attacks and steals personal data from a company’s internal systems. This can be financial information ; names and addresses or even what a client or customer has ordered. This relates to clients, staff, third parties and customers alike.
Parties will normally need to promptly report personal data breaches to the relevant authority and all affected individuals (within 72 hours of becoming aware of the breach or without undue delay if there is a high risk of adversely affecting individuals’ rights and freedoms). The business needs to make sure it follows is Data Protection policy carefully and document its actions so it can support its position later should it need to do so. Too wide a policy the less it will be considered impactful , too restrictive the business risks trapping itself so careful drafting and implementation is key to avoid & address a breach or support the fact these breaches were addressed and resolved satisfactory.
Breach of data protection laws may result in actions taken against the parties by the Information Commissioner’s Office (ICO) or the affected individuals. Fines can be up to £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. In 2020, British Airways was fined £20 million over data breach involving personal and credit card data of over 400,000 customers. Whilst we read about these larger companies and fines, the smaller operators need to also be aware that the government are monitoring and investigating all breaches and ignorance or size is no defence and they will expect to see actions , policies and procedures in place and invoked.
Advice in protecting personal data
Due to the strict rules and high risks relating to data protection, businesses and organisations should consider the following measures to ensure compliance with and avoid breach of data protection laws:
- Data processing agreement: Parties should ensure there is a written contract between them setting out their rights, obligations and liabilities relating to processing of personal data (including any sub-processors). This could be an employment contract or staff handbook; website terms and conditions for customers to complex contracts between clients , third parties and the company. If the processing of personal data is part of a larger transaction, data protection provisions should be included in the main contract. Agreements relating to processing of personal data should be drafted or reviewed by experienced solicitors to ensure compliance with the DPA and UK GDPR and reviewed regularly in line with your process and policies.
- Records and documentation: Controllers and processors of personal data are generally required to maintain detailed records to document aspects relating to their processing activities, such as processing purposes, lawful basis, data sharing and retention. Subject to business nature, other documents may also be needed, such as policies relating to data privacy, protection, retention and breach notification, as well as records of consent and data breaches. Further, parties may be required to prepare a data protection impact assessment report where their processing is likely to result in a high risk to the rights and freedoms of individuals (such as innovative use or applying new technological or organisational solution). These should be clear and available to the applicable parties , but practical and enforceable . A business needs to follow this policy and be able to show it has done so , as such do not make this erroneous.
- Customers’ data: Businesses may need to process customers’ personal data as part of its operations (including via an app or platform), in which case, they should ensure that customers explicitly consent to the processing of their personal data by way of confirming their agreement to the company’s privacy notice, cookies policies and/or terms and conditions. These documents will need to be tailored to specific business models and products and thus expert advice should be obtained. Do not use ready ticked boxes as we note still companies still do this and this is not accepted.
- Employees’ data: Processing of personal data of employees also needs to comply with data protection legislation. Employers should ensure that explicit consent is obtained from employees under their employment contracts and internal policies, such as data protection policy and privacy notice. This should state who their data is being passed to especially if the employer out sources payroll or pension or private medical health as this data is being processed by them and sent to a third party. Certain employees may also be involved in processing of personal data by the employer, in which case, the company should ensure the relevant policies are put in place, such as data subject request policy and information security policy, to ensure their employees do not breach the provisions of the DPA and UK GDPR while performing their duties. Do not also forget to have robust data protection protections in place with those third parties also who are acquiring your staff’s data.
- Restrict access to those that actually need the data. Why give access to staff members if they will not be utilising or processing this data as this simply opens the business up to a greater needless risk. Review and audit access rights ; use of data and reasons as often all managers have access when perhaps only 10% need to do so.
- Training : Common issues very often is staff are not trained correctly on processing the data ; storing the data or addressing the breaches. Staff need to understand the procedures , have access to these , be trained clearly on the processes and have someone to report to for clarity. This is often an aspect of training overlooked.
Processing of personal data is subject to strict rules and if breached organisations may be liable for significant fines and damages. Organisations should ensure they thoroughly understand their roles and responsibilities under the law and appropriate documentation are put in place to avoid breaches and liabilities. As these can be highly technical and complicated, organisations should seek expert legal assistance to ensure compliance and keep away from unexpected consequences from poorly drafted documents.