Table of Contents
As a business owner, you are likely aware of the importance of compliance with the General Data Protection Regulation (UK GDPR). The constant barrage of media articles about the ability of the Information Commissioner’s Office (ICO) to fine businesses in England up to £17.5m can be concerning for business owners. The GDPR is so lengthy and complex it can be hard to figure out the best steps to take and in which order to take them. This article will explore four valuable ways a lawyer can help your organisation comply with the GDPR.
What is the General Data Protection Regulation?
The GDPR is a set of data protection rules which apply to businesses in England. Most rules relate to protecting individuals’ personal data to protect them from harmful actions. Compliance with the GDPR is crucial, as any data security breach can prompt an ICO investigation.
The ICO is an independent body set up by the Government, which aims to carry out two main tasks. Its first aim is to help educate organisations in England about data protection law requirements. Businesses can refer to the ICO’s written guidance on its website. Its second task is to fine organisations which fail to comply with the GDPR. Many businesses fear a potential ICO fine due to their power to provide a financial penalty of up to £17.5m.
1. Handling Subject Access Requests Appropriately
Subject access requests are also known as SARs or data subject access requests. A SAR is a request by an individual for all (or some) information held about them by your business.
Most SARs come from customers or employees. Upon receiving a SAR your organisation should respond as soon as possible. This is because the GDPR allows organisations one month to provide all relevant documentation to the individual.
However, there are certain exemptions and limitations on the documentation your business will have to disclose. This is where a lawyer can assist. For example, a lawyer can help advise your organisation as to which documents you can redact. Redaction is a process of striking out specific parts of a document in bold black marker so the recipient cannot read them. This usually happens when the document contains confidential or personal information relating to someone other than the individual.
Similarly, a lawyer can advise which letters, emails and notes come under ‘legal advice privilege’. This enables organisations to avoid disclosure of materials containing legal advice between your business and its lawyers. Furthermore, your lawyer can advise whether you may refuse to act on the SAR due to a limited exemption. For example, if the request is manifestly excessive or too similar to other recent SAR requests.
These exemptions depend on the specific circumstances at that time, so many business owners appreciate having a lawyer to advise on these GDPR requirements.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
2. Ensuring the Safe Use of CCTV
One of the lesser-mentioned parts of the GDPR includes its rules regarding CCTV use by businesses.
The GDPR cares about CCTV footage because it constitutes the recording of personal data relating to individuals. Due to this, the GDPR sets out the following principles:
- your business must securely store all CCTV recordings;
- you may not hold recordings for longer than genuinely necessary;
- your organisation must place adequate warning signs near CCTV cameras; and
- you should ensure a data protection impact assessment is in place (and reviewed regularly).
It is not always obvious what certain phrases (such as ‘longer than genuinely necessary’, ‘adequate warning signs’ or ‘securely store’) mean in practice. This is where a lawyer can be beneficial. Additionally, they can draft and carry out a data protection impact assessments for your business.
3. Ensuring Appropriate Collection of Customer Information
The starting point of the GDPR is that your business can collect customers’ personal data. However, the legislation then limits how you may collect and how long you may store it for. Put simply, the GDPR is happy for your organisation to obtain customer data for lawful reasons and to keep it for as long as necessary. However, the ICO believe that any of the following scenarios will likely breach data protection rules:
- failing to handle personal data transparently;
- collecting customer information for excessive or irrelevant reasoning;
- keeping customer personal data for an unnecessary period; and
- obtaining customer personal information for unlawful purposes.
Again, some of the above phrases are not immediately clear and this is where a lawyer can prove very helpful in advising you where to draw the line. For example, a lawyer can offer advice on what constitutes ‘transparent’ handling of personal data.
4. Reporting Personal Data Breaches to the ICO
Your company must report any relevant personal data breaches to the ICO within 72 hours of knowledge. The ICO believes that an organisation should refer itself when both of the following statements are true:
- a ‘personal data breach’ has been discovered; and
- that breach is likely to pose a ‘risk to people’s rights and freedoms’.
Unfortunately, the definitions of the phrases within quotation marks above are not easy to understand. However, an expert lawyer can fully advise you on when a potential breach occurs and whether it risks the ‘rights and freedoms’ of individuals.
The ICO is not shy of granting hefty fines to organisations that fail to declare a qualifying breach through their website within a 72-hour period. Hence, a lawyer’s assistance is likely to be good value. Put simply, a lawyer can put your mind at ease as to whether to report a breach and any risks of not doing so in each individual circumstance.
Key Takeaways
The GDPR is known for being complex and full of vague phrases, which can be challenging to understand. Accordingly, a lawyer can offer your business a roadmap for the right way around certain data protection obstacles. Engaging a lawyer can help steer your organisation around situations where it could face a hefty fine from the ICO.
If you need help taking appropriate action following a data protection breach, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Because the ICO wishes to deter businesses in England from not taking data protection seriously. The ICO recognises that a major motivating factor for companies is to protect their bottom line by avoiding GDPR fines.
The GDPR is phrased in a way that tries to cover every single situation that could arise between individuals and organisations in England. This means that it must use ‘one size fits all’ wording which, in practice, can require expert advice to untangle.
We appreciate your feedback – your submission has been successfully received.
