In Short
-
Businesses using third-party tools like World-Check must understand UK data-protection rules and legal responsibilities.
-
Screening databases can contain outdated or incomplete information, so results should be verified.
-
Legal advice helps identify risks and ensures compliance when using personal data for KYC or due diligence.
Tips for Businesses
Only collect and keep the personal data you need, check the accuracy of third-party information, review the provider’s terms, and adopt a risk-based approach. Seek legal guidance to understand your obligations under UK data-protection law and reduce the risk of privacy issues or regulatory breaches.
Businesses may often use third-party platforms to support their compliance, due diligence and risk-assessment activities, particularly for Know Your Client (KYC) purposes. As these tools and platforms become an important part of everyday operations, organisations must understand the legal implications and potential risks (particularly when relying on external data sources).
Data-protection requirements and risks should be a key part of an organisation’s assessment when using third-party tools that involve personal data. World-Check is one example of such a tool, and it is vital that organisations using its information take steps to reduce the potential risks of data protection.
This article explores the UK’s data-protection framework, highlights key privacy issues that may occur when using tools such as World-Check and discusses the value of legal advice in mitigating legal risks when using such platforms for business purposes.
Understanding the UK’s Data Protection Law Framework
The UK GDPR is the main law that manages how organisations in the UK can use personal data. It works alongside the Data Protection Act 2018, which sets out additional rules, including:
- how sensitive data can be used; and
- the powers of the regulator.
The Data (Use and Access) Act makes gradual changes to these laws, which will affect how some organisations meet their obligations. As a result, organisations need to regularly review how they handle personal data and keep working towards meeting the legal requirements.
Using Third-Party Tools and Platforms
Organisations frequently use external tools to support activities such as:
- anti-money-laundering checks;
- compliance processes; and
- due diligence.
When you collect personal data from a third-party platform, you need to understand your data protection responsibilities for using that information. You should also check the provider’s contract terms so you know:
- what the service covers;
- any limits on responsibility; and
- where the risks sit.
Because these obligations can differ depending on the tool and how it is used, it is sensible to get legal advice if you are unsure about what applies.
Continue reading this article below the formUsing World-Check
World-Check runs a due diligence service that mainly gathers public information about people and organisations, and flags those it considers higher risk. The service gathers information from a wide range of public sources, including:
- media reporting;
- government lists;
- sanctions notices;
- court records; and
- politically exposed persons registers.
Many financial institutions and professional-services firms incorporate the use of the platform into their screening processes.
While this sort of tool can be useful to support regulatory compliance, organisations need to consider the privacy and legal considerations that stem from its use. For example, organisations should be careful when using third-party tools to verify information and should make their own judgment about how to use or act on what those tools provide.
Key Privacy Considerations When Using World-Check
Some of the key considerations and potential risks to consider can include the following:
Accuracy and context issues
Large databases can contain information that is outdated, incomplete or lacking context. This can affect how organisations interpret screening results. Relying solely on a database entry (without conducting additional checks) may lead to:
- unfair;
- inaccurate; or
- incomplete assessments.
Impact of inaccuracies and individual rights
Under the UK GDPR, individuals have the right to have inaccurate personal data corrected. Errors in screening information can affect a person’s access to services and may expose organisations to:
- complaints;
- regulatory scrutiny;
- reputational damage if decisions are based on incorrect or misunderstood material; or
- defamation or reputational allegations.
Transparency obligations
Many people may be unaware that their information appears in screening databases, therefore raising transparency concerns. If individuals do not know that their data is being used, then it becomes difficult for them to understand how decisions are made or to challenge inaccuracies.
Data security concerns
Data security on such platforms can also be a significant concern, particularly given the risk of data breaches compromising personal data.
While these issues relate to how the platform collects and manages its data, they can still create real risks for organisations that rely on these tools. Businesses remain responsible for how they use personal data taken from third-party databases, so it is important to understand the limits of that data and any risks, such as accuracy issues.
Steps for Organisations Using KYC Tools
Organisations should treat screening results with care and think carefully about the risks when using tools like World-Check or similar platforms. Extra checks are often needed as public information can be:
- out of date;
- incomplete; or
- easy to misunderstand.
Having clear steps to spot inaccuracies, understand the limits of the data, and verify important findings can help manage the risks of relying on large databases for due diligence.
Before using these tools, organisations should:
- assess how reliable the service is;
- understand its limits;
- consider any privacy obligations;
- review the provider’s contract terms; and
- take a risk management approach.
It is also important to keep data privacy in mind when carrying out KYC checks. This includes:
- avoiding collecting more information than necessary;
- not keeping data longer than needed; and
- carrying out privacy risk assessments, such as data protection impact assessments, where required.
As these issues can be complex, organisations should consider getting legal advice when using third-party data tools and carrying out KYC checks to help identify risks and understand how to manage them.
This factsheet sets out how your business can become GDPR compliant.
Key Takeaways
Screening tools such as World-Check can support your regulatory and compliance objectives, though organisations should recognise:
- the potential limitations;
- data protection implications; and
- far broader issues that can arise from their use.
Public-domain information may be outdated or incomplete, so adopting a risk-based approach is essential.
If you need support understanding how UK privacy laws impact your use of third-party tools, LegalVision provides ongoing legal support for all businesses through our fixed-fee legal membership. Our experienced lawyers help businesses across industries manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 0808 196 8584 or visit our membership page.
Frequently Asked Questions
The UK GDPR is the legal framework that sets strict rules and regulations in relation to the processing of personal data in the United Kingdom. It requires organisations to follow key principles and grants individuals certain rights regarding their personal data.
A data protection lawyer can help you analyse how the UK GDPR applies to your organisation’s operations, identify (and help you correct) any gaps in compliance. UK GDPR rules are not one-size-fits-all and depend on your organisation’s role and specific processing activities.
We appreciate your feedback – your submission has been successfully received.
