In September 2023, I provided a whole series of Q&As on LinkedIn relating to data protection. You can find the entire series here in this blog - a mini guide to some of the most commonly asked questions about data protection and compyling with privacy laws.
Q. Do I have to register with the ICO And Why? 🤷♂️
The Information Commissioner’s Office (ICO) is a public body responsible for promoting and upholding data protection compliance for companies in the UK, as well as ensuring the privacy rights of individuals.
If you’re an organisation or sole trader processing personal data then you must register with the ICO and pay a fee. This fee funds the ICO’s work and also underlines your professional reputation as a business or individual who takes data protection seriously. 💼🔒
There are some organisations and sole traders who may be exempt though so before paying the fee, check if you need to here - 👉 https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/🧐
Q. What types of data do data protection laws apply to? 🔒
Data Protection laws in the UK apply to any information which identifies an actual living human. This includes names, contact details, date of birth, gender, and even things like payment details, location data/IP address, and potentially data about things like purchasing preferences.
The laws also apply to more sensitive data such as health records, personal beliefs and biometrics. UK data protection laws also comprise special rules for information relating to children and for handling data related to criminal records.👶🚔 Businesses should adhere to data protection guidance on how data is collected, stored, used and shared (especially if any sharing involves the data leaving the UK to an overseas third party).
They should also carefully consider any automated decisions made by technology to ensure that these do not affect the rights of individuals as protected by UK data protection laws. 💻
Q. What rights do individuals have concerning their personal data? 👤
Individuals in the UK have various rights regarding their personal data. Generally, people must be told how their information may be used 🔍. Which is why you need a privacy policy📃!
In some cases people must give consent for their data to be collected and processed or sometimes you can collect without consent if there is a ‘legitimate interest’. There are a number of rules (and exceptions), so be sure you are collecting data in accordance with the law🧑⚖️.
Individuals also have the right to access their data and to have any misinformation corrected. They have the right to withdraw consent at any time. 🚫🗑️
Even in cases where consent was not necessary to collate the data, individuals may request deletion of data if they believe there is no longer a need for an organisation to hold onto the information. However, this may or may not be granted and would depend on a number of factors.
Q. What’s the difference between GDPR and the Data Protection Act 2018? 📜
GDPR is the General Data Protection Regulation as written and implemented by the EU. The Data Protection Act is the UK’s implementation of GDPR. 👨⚖️ The UK Data Protection Act 2018 sits alongside GDPR, but the UK government has the ability to review data protection laws in the future (if it so wishes).
Even if any such UK legislation changes are implemented in the future, you still need to bear GDPR in mind. This is because any business processing the data of EU citizens or residents will still need to be compliant with GDPR. 🔏Want to stay updated on pending changes to UK Data Protection laws? Subscribe to my newsletter and I’ll keep you posted 👉 https://www.auberginelegal.co.uk/contact
Q. What do I have to think about when collecting data about children? 🧒📊
You must have a lawful reason for collecting data on children and you have a legal obligation to protect this information. 🔒 No children under the age of 13 are old enough to give consent for their data to be collected online or in person. Therefore, you will need parental/primary carer consent. 📝👨👩👧
Businesses must only collect data that is necessary for providing their products or services.
All privacy information must also be made available in a form/style that is understandable for children. 🧒📘
If you are collecting children’s data online you may consider simplifying the language in your Privacy Policy (let me know if you need any help updating this).
Children have advanced protective rights under the Data Protection Act, which are laid out in The Children’s Code. 🛡️👧 You can learn more about these on my blog "Children And Data Protection" -https://www.auberginelegal.co.uk/post/children-and-data-protection
Q. What do I need to think about if I’m transferring data out of the UK?
When transferring data out of the UK, businesses must first establish a legal basis for needing to do so. Next, they should check they transferring data to countries that meet UK adequacy regulations. These are countries found by the UK to provide a reasonable level of data protection and privacy rights. 👌
In cases where transfers are being made to countries not covered by the UK adequacy regulations, businesses will need to use safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
To further protect data being transferred out of the UK, businesses may also conduct a Data Impact Assessment (DPIA) and they must notify data subjects in regards to data transfer practices. 📊
Still confused? 😣 Check out my guide on Transferring Data Out Of The UK in which I break it all done into bite size chunks! 📖 - https://www.auberginelegal.co.uk/post/are-you-transferring-data-out-of-the-uk-checklist-for-uk-gdpr-compliance
Q. What’s the difference between a data controller and a data processor? 💻
Data controllers are the people, or organisation, that directs the collection and usage of data. Processors act on behalf of the controller to process, and often to collect and store, the data. They may be internal to an organisation or outsourced. They may be contact centres, data centres, marketing agencies and so on and they operate under the direction of the controller for the controller's purposes. 👨💻 Data controllers are ultimately responsible and accountable for ensuring data protection laws are adhered to. However, data processors may, in some scenarios, also be penalised if found to be non-compliant. 🚫
Sometimes you might be sharing data with a processor, whilst at other times you might be sharing data with another data controller (for example if you are both collecting data about individuals and sharing with each other - for example, maybe you are an associate working for a psychology private practice and collecting data about therapy clients and then sharing with the psychology firm?). Depending on who the parties are, will determine the type of data agreement you put in place and the types of obligations and responsibilities on each of the parties.
This is why it’s super important to get the correct data processing/sharing agreement in place. The controllers need to know that the processors will be handling the data properly and joint controllers need to make certain promises to each other.
Reach out if you need any analysis on your data flows / working out who is a controller and processor / checking you have the right data processing agreements in place.
Q. What on earth is a DPIA and do I need to do one? 🤔
DPIA stands for Data Protection Impact Assessment and it is basically a risk assessment businesses may carry out to scrutinise how and why data is collected and explore the potential risks in doing so. 🕵️ Organisations must legally conduct a DPIA if any processing of data could be high risk (for example if you are processing children’s health data, etc) and/or if a breach of the data you are processing could seriously impact the individuals the information relates to.
Having said this, the actual risks (and whether they are high) may not be identified until the DPIA is carried out. Therefore, it is advisable for every organisation collecting or handling data to carry out an impact assessment. ✔️📝
Q. As an employer, do I need a privacy notice for my staff?🧑🤝🧑
Businesses need to inform anyone whose data they are collecting, handling or processing, and that includes employee data. 💼Data collection will be essential for legally employing anyone and employers have a duty to protect this information in line with UK data protection laws. A privacy notice📃(which should be separate but sit alongside their employment contract) should state what data will be collected, the purposes for which it will be used and how this data will be protected. It should also specify for how long the data will be kept.
🏬Then you obviously need to store it safely and securely (especially if you are handling special category data about employees health/criminal convictions, etc).
If you need assistance in drafting a privacy notice for your employees please get in touch.
Q. Do I need a cookie consent and policy on my website?💡
Yes. Currently, if you are using cookies 🍪to process personal data then you need to get consent ✅and you must have a cookie policy (which you could include in your privacy policy) that explains what giving consent means for users.
Not sure if your website is collecting cookies? Most are. You can check by clicking on the padlock symbol in the URL bar and then hit the 'Cookies' button. This will show you what cookies are being used on your website.
Collecting cookies will likely be automated through the platform you are using to host your website🖥️. This will be why you might see information regarding where visitors are coming from, which pages they are viewing, etc. Installing Google Analytics will also mean cookies are being collected.
For now, you'll need a cookie consent banner 🪧or pop-up to stay compliant with the Privacy and Electronic Communications Regulations (PECR). This may change when the new UK Data Protection Bill passes (I will keep you updated on this) but for now you'll need users of your site to agree to their cookies being collected. You must also provide a link to a policy 📃that states how cookies will be used.
💥 Word of warning...there are some unscrupulous individuals out there checking that organisations have the cookie pop-up notices and links to cookie policies in place. If not, then they are searching out whether non-essential cookies are being used and then making claims that PECR has been breached along with their data privacy rights and then asking for compensation 💷 ! So get those pop-up notices installed and links to policies. Most platform providers have free templates you can use (such as WiX, Squarespace, etc).
If you are in e-commerce compliance then you may be interested in my E-Commerce 💻Legal Package which includes privacy and cookie policies as well as other documents and guideline information you might need - https://www.auberginelegal.co.uk/legal-packages
Q. What is a privacy policy, where should it be kept and how do I tell people about it?📃
All companies should have a privacy policy (regardless of organisation size or nature of business) if they're collecting any amount of personal data.
A privacy policy is a legal document that outlines how an organisation collects, uses and safeguards the personal information of individuals. It must also detail a person's rights and choices regarding their data.
If you have an online presence then your privacy policy must be made available online, usually on your business website. There should also be a clear, easy-to-find link to the policy so that users have access to it. Furthermore, you should link to your privacy policy each and every time you ask for anyone's personal information. For instance, when asking customers to complete a transaction, asking clients to sign an agreement, asking anyone to subscribe to a newsletter, etc.
Need help drafting a Privacy Policy for your business? Drop me a message through my website and I'll be in touch (and note how I include a link to my privacy policy within the form) - https://www.auberginelegal.co.uk/contact.