Data Protection Services

Personal data is information relating to an individual which allows them to be identified, either directly or indirectly. Common examples of personal data include an individual’s name, address, or identification number. Even where an individual is identified or identifiable, directly or indirectly, from the information being processed, it must relate to the individual in order for the information to be personal data.

Where you cannot directly identify an individual from information, you still need to consider whether an individual is identifiable, by considering the information being processed together with all the means reasonably likely to be used in order to identify individuals. For example, if somebody found a bank account number written down on a piece of paper in a café without a name or identified financial institution this could be considered anonymous. By contrast, a bank account number provided to someone working in the relevant bank to which the account number relates will be personal data if they have access to systems that can link the account number to the account holder.

Personal data can also include special categories of data such as information relating to an individual’s ethnicity, health and sexual orientation. There are stricter rules governing how special category data is obtained and used by organisations, due to the sensitivity of the information.

For more information on what constitutes personal data and some examples of how it is used, you can read our blog on personal data here.​

If a business uses personal information during the normal running of its business, then the UK GDPR is likely to apply. Under the UK GDPR, organisations must embed data protection compliance into all of their processing activities. This approach is referred to as ‘data protection’ by design and by default and is a key aspect of the UK GDPR’s risk-based approach and emphasis on accountability.

Fundamentally, companies must implement appropriate technical and organisational measures that will ensure that their use of personal data is compliant with the UK GDPR’s seven ‘processing principles’, this is where using outsourced data protection services can be hugely beneficial. These principles oblige organisations that are handling data to do so in a way that protects the rights of individuals. The 7 principles organisations must comply with are:

1. Lawfulness, fairness and transparency – be fair and transparent, so inform individuals on what they are doing with individuals’ data.
2. Purpose limitation – only use the data for a specific purpose.
3. Data minimisation – only collect and use the information required to fulfil a specific purpose for processing the data.
4. Accuracy – ensure there are processes in place to maintain the accuracy of personal information.
5. Storage limitation – only keep data as long as necessary; organisations must be able to justify how long they retain personal data. As a result, in certain circumstances, a detailed assessment may be required to set retention periods.
6. Integrity and confidentiality (security) – ensure there are appropriate security measures in place based on the nature of the processing activity. For instance, if an organisation is processing large amounts of special category data you should have more robust security measures in place than an organisation that is only processing basic contact information.
7. Accountability – you should be able to evidence how you comply with the above six principles. For example, by demonstrating you have buy-in to data protection compliance across your organisation and can evidence your organisation’s compliance with your data protection policies. More guidance on ensuring accountability within your organisation can be found in the ICO guidance.

​

Not every organisation needs to appoint a DPO. Under the UK GDPR, you must appoint a DPO if your organisation:

• is a public authority or body (except for courts acting in their judicial capacity);
• as part of its core activities, is regularly, systematically monitoring individuals on a large scale (for example, location-based services). An organisation’s core activities are their primary business activities. As such, if you need to process personal data to achieve a key business objective, this will be a core activity; or
• is processing special categories of data or data relating to criminal convictions and offences on a large scale.

A group of undertakings may appoint a single DPO, providing they can be easily accessed by each entity. A DPO does not have to be an individual, it can be a company or an organisation too, meaning an organisation can outsource its DPO role to a third party.

Even if you aren’t required to appoint a DPO, you can make a voluntary appointment of a DPO. However, please note that the same requirements of the position under the UK GDPR still apply as if the appointment was mandatory. If you decide that you don’t need to appoint a DPO, either voluntarily or because you don’t meet the above criteria, it’s still a good idea to record this decision to help demonstrate compliance with the accountability principle.

Irrespective of whether it is mandatory for you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to meet your obligations under the UK GDPR.

To understand more on whether you need to appoint a DPO, please see here. We also have a useful blog on the topic – Should you outsource your DPO?

The UK GDPR applies to all organisations that process personal data regardless of the size of the organisation. Therefore, even if you are a sole trader as long as you are processing personal information, the UK GDPR will apply to your organisation. This ensures that everyone’s data is used properly and fairly, preventing situations where personal data can be used wrongly or for harmful purposes such as identity theft and discrimination.

The likelihood is that even small organisations will store and use personal data about employees, customers, or suppliers on a regular basis, and therefore will need to comply with UK data protection laws. Even if a business doesn’t employ any staff, data protection legislation is very likely to still apply as in many organisations there are likely to be emailed with personal data and other documents containing personal data to which the UK GDPR will apply.

Small businesses generally have fewer obligations under the UK GDPR. For example, those with less than 250 employees are not obliged to keep a record of processing activities. However, the 7 core data protection principles will apply regardless of the size of the organisation. As a result, a small organisation will be required to adopt a data protection by design approach and implement appropriate technical and organisational measures to meet the UK GDPR’s requirement. This could include potentially needing to appoint a DPO depending on the nature of the organisation’s processing activity.

For further guidance for smaller organisations, please see here, or read our blog on GDPR for small businesses. ​

Under the UK GDPR, individuals have a number of individual rights including a right of access which gives individuals a right to obtain a copy of their personal data from organisations processing their personal data. The right of access is not a new right under the UK GDPR and is commonly referred to as a subject access request (‘SAR’).

Where an individual makes a SAR, they are entitled to a copy of their information and supplementary information such as an organisation’s purposes for processing their data and who the organisation has shared their data with (if anybody).

A SAR can be made verbally or in writing, including on social media. An individual does not need to explicitly say they are making a SAR or access request, refer to legislation or direct the request to a specific contact, it just needs to be clear that they are asking for their personal data for the request to be valid.

A third party can also make a request on an individual’s behalf (e.g. a solicitor or relative) as long as authority from the third party has been obtained by the organisation to establish that the third party making the request is entitled to act on behalf of the individual.

Generally, organisations, must respond to a SAR within 1 month, free of charge. In limited circumstances, for example, where a request is considered excessive, this period can be extended by up to 2 months and it may be possible to charge a reasonable fee for copies of the information.

There are some limited exemptions that allow businesses to refuse to supply some or all of the information that was requested. For example, if providing the information may adversely affect the rights of others, an organisation can refuse to supply some or all the data. Also, another example is, where an organisation is in negotiations with an individual, for instance in respect of an individual’s redundancy, an organisation can refuse to comply with a request for papers detailing the company’s rationale for reaching a redundancy settlement if complying with a request will prejudice the redundancy negotiations. In any event, any intention not to comply completely with an individual’s SAR should be communicated to them at an early stage. Businesses must be careful in applying these exemptions and should consider whether they apply on a case-by-case basis as opposed to taking a blanket approach.

Further detailed guidance on SARs can be found here.

Organisations need to consider data protection when engaging new suppliers if the supplier is going to be processing personal data. The supplier’s ability to evidence its data protection compliance should form a fundamental part of any supplier’s due diligence. This could involve the use of risk assessments and Data Protection Impact Assessments to ensure that the new supplier will handle personal data with the utmost care.

Important questions to ask of suppliers include whether the supplier holds any industry certifications, establish where data is located, how the supplier would respond to data breaches, and whether they share personal data with any other third parties. Essentially, organisations should establish that a supplier meets the UK GDPR’s requirements before using the supplier’s services.

In addition, organisations must enter into a written agreement with any suppliers processing personal data and make sure that any contract includes all the relevant data protection clauses prescribed by the UK GDPR. For instance, agreements should clearly set out the purpose and categories of any personal data that may be processed by the supplier, and the parties’ obligations for different processing activities.

Performing thorough due diligence at the outset of a project will allow an organisation to identify and mitigate any issues early on which should mean retrofitting costs are avoided post-implementation of a business change/project.​​