Data protection should be at the forefront of business concerns as the penalties (criminal as well as civil) for breach of the legislation can be severe.
We are experienced in advising businesses on their roles and responsibilities on Data Protection issues and negotiating Data Protection provisions during a corporate or commercial transaction.
The collection and use of data in the United Kingdom is governed primarily by the Data Protection Act 1998 (DPA). The DPA is largely concerned with the “processing” of “personal data”. If you are a “data controller” you must comply with the obligations set out in the DPA to protect information and avoid data breaches.
Are you a “data controller” or a “data processor”?
Data controller: this is the entity who (alone, jointly or in common with others) determines the purposes for which and the manner in which any personal data is, or is to be, processed.
For instance businesses will control the data of its employees and customers. Even where data is held by a third party (e.g. where a function or service has been outsourced), the originating entity may still be data controller.
Data processor: this is the entity (other than an employee of the data controller) which processes data on behalf of the data controller. Although the data processor does not have specific obligations imposed on it under the DPA, the DPA does require the data controller to pass on certain obligations to the data processor. The data processor is expected to have more legal obligations in the future.
Who is the “data subject”?
The data subject is the individual who is the subject of personal data. This could be employees, customers, contractors, consultants, individuals on contact lists or marketing databases, or individual partners of a partnership.
What is “personal data”?
Personal data is any data which relates to a living individual who can be identified from the data and other information which is in the possession of, or is likely to come into the possession of, the data controller. It includes any expression of opinion about the individual and of the intentions of the data controller or any other person in respect of the individual. The information does not have to be confidential.
What is “processing”?
Processing is the obtaining, recording or holding of information or data or carrying out any operation or set of operations on the information or data, including:
This broad definition means that any activity involving personal data will be caught. If you hold personal data then it is likely that you will be engaged in processing that data.
What are your obligations?
Personal data must be processed in accordance with the eight data protection principals set out in Schedule 1 of the DPA:
There are additional rules relating to sensitive personal data which includes data relating to race, political opinions, health, sexual orientation, religion and beliefs, trade union membership and criminal records. Our data protection solicitors specialise in providing bespoke legal advice on all your data obligations.
What are the rights of data subjects?
The individual whose data is held has certain rights under the DPA, these include:
What are your obligations where processing is to be carried out by third parties?
Where data is processed on behalf of the data controller by another party, the data controller must:
The data controller is also required to enter into a written contract with any data processor which requires the data processor to act only on instructions from the data controller and requires the data processor to comply with obligations equivalent to those imposed on the data controller by the seventh principle.
If you are a data controller or data processor and you would like advice on how you can comply with the eight data protection principals or your other obligations under the DPA, please contact our Corporate Commercial team.
Direct marketing is communication (by email, phone, text or post) of any advertising or marketing material which is directed to particular individuals.
Direct marketing is now a focus of government policy. The government wants to make it easier for the Information Commissioner’s Office (ICO) to fine companies in non-compliance of the rules. It is recommended that compliance with the law on consent to direct marketing should be treated by businesses as a board level issue in the context of corporate risk. Failure to comply with the rules can lead to reputational damage, loss of goodwill, loss of customers, fines, regulatory and legal action, and criminal prosecution.
There are strict direct marketing rules, however the application of the rules differ according to the type of communication and whether the recipient is an individual or corporate subscriber. Individual subscribers include residential subscribers, sole traders and non-limited liability partnerships.
Opt-in or Opt-out
Consent by an individual subscriber to receive marketing by email must be obtained via an ‘opt-in’ method rather than ‘opt-out’. This means that a consumer must tick a box to consent to receiving electronic communications rather than tick a box stating that they do not wish to receive them.
For post and non-automated telephone marketing individual subscribers have the right to ‘opt-out’ and to register free of charge with the Mail Preference Service (MPS) or the Telephone Preference Service (TPS). Although the relevant legislation does not require the “opt-in” method for non-electronic communications the ICO advises that it is best practice to obtain “opt-in” consent in all circumstances.
Even where a subscriber has “opted-into” direct marketing (or not “opted-out”), the subscriber must be given the option to “unsubscribe” following receipt of marketing. Businesses must always provide a valid address to enable the subscriber to unsubscribe. The ability to unsubscribe must be clear on the face of the marketing.
The rules are much more lenient in relation to corporate subscribers. Corporate subscribers do not have a statutory right to opt-out of direct marketing prior to such marketing (whether by email, phone, post or SMS). This means that the opt-in/out tick box is not strictly required for corporate subscribers. However, the guidance from the ICO is that even where the subscriber is a corporate entity it is best practice to gain consent by an “opt-in” mechanism or in the very least an “opt-out” mechanism. Further, although prior consent is not required by law, the corporate subscriber must be given the option to “unsubscribe”.
Buying and selling data
It is recommended that, as a minimum, businesses should commit to reviewing and implementing the ICO’s guidance relating to collecting and buying data. The following ICO guidance should be made clear in business policies:
Home-grown or recruited from national, regional or City firms. Our specialists are experts in their fields and respected by their peers.
Jo is a Partner in our Employment department.
Carla is a Partner in our Corporate Commercial department
David is a solicitor in our Employment department
Suzanne is a solicitor in our Corporate Commercial department
Read our view on the latest legal and commercial news.