Our Service

Data protection should be at the forefront of business concerns as the penalties (criminal as well as civil) for breach of the legislation can be severe.

We are experienced in advising businesses on their roles and responsibilities on Data Protection issues and negotiating Data Protection provisions during a corporate or commercial transaction.

Key features of data protection

The collection and use of data in the United Kingdom is governed primarily by the Data Protection Act 1998 (DPA).  The DPA is largely concerned with the “processing” of “personal data”.  If you are a “data controller” you must comply with the obligations set out in the DPA to protect information and avoid data breaches.

Are you a “data controller” or a “data processor”?

Data controller: this is the entity who (alone, jointly or in common with others) determines the purposes for which and the manner in which any personal data is, or is to be, processed.

For instance businesses will control the data of its employees and customers.  Even where data is held by a third party (e.g. where a function or service has been outsourced), the originating entity may still be data controller.

Data processor:  this is the entity (other than an employee of the data controller) which processes data on behalf of the data controller.  Although the data processor does not have specific obligations imposed on it under the DPA, the DPA does require the data controller to pass on certain obligations to the data processor.  The data processor is expected to have more legal obligations in the future.

Who is the “data subject”?

The data subject is the individual who is the subject of personal data.  This could be employees, customers, contractors, consultants, individuals on contact lists or marketing databases, or individual partners of a partnership.

What is “personal data”?

Personal data is any data which relates to a living individual who can be identified from the data and other information which is in the possession of, or is likely to come into the possession of, the data controller. It includes any expression of opinion about the individual and of the intentions of the data controller or any other person in respect of the individual.  The information does not have to be confidential.

What is “processing”? 

Processing is the obtaining, recording or holding of information or data or carrying out any operation or set of operations on the information or data, including:

  1. organising, adapting or altering the information or data;
  2. retrieving, consulting or using the information or data;
  3. disclosing the information by transmission, dissemination or otherwise making it available; or
  4. aligning, combining, blocking, erasing or destroying the information or data.

This broad definition means that any activity involving personal data will be caught.  If you hold personal data then it is likely that you will be engaged in processing that data. 

What are your obligations? 

Personal data must be processed in accordance with the eight data protection principals set out in Schedule 1 of the DPA:

  1. It must be processed fairly and lawfully.
  2. It must only be obtained for one or more of the specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. It must be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. It must be accurate and, where necessary, kept up to date.
  5. It must not be kept longer than is necessary for the purpose.
  6. It must be processed in accordance with the rights of data subjects under the DPA.
  7. Appropriate technical and organisation measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. It must not be transferred outside the European Economic Union unless the destination country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to processing data.

There are additional rules relating to sensitive personal data which includes data relating to race, political opinions, health, sexual orientation, religion and beliefs, trade union membership and criminal records. Our data protection solicitors specialise in providing bespoke legal advice on all your data obligations.

What are the rights of data subjects?

The individual whose data is held has certain rights under the DPA, these include:

  • Right of access: the individual is entitled to be informed whether its personal data is being processed by or on behalf of the data controller and if so, has a right to be given a description of the personal data, the purposes for which it is being processed, and the recipients or classes of recipients to whom it is or may be disclosed.  The individual also has the right for a copy of the data to be provided to it in a permanent form.
  • Right to object to processing: individuals have a limited right to prevent processing of their personal data where such processing causes, or is likely to cause, the individual or anyone else with unwarranted substantial damage or distress. Individuals also have right to prevent processing of data for direct marketing purposes, even where consent has previously been given.

What are your obligations where processing is to be carried out by third parties?

Where data is processed on behalf of the data controller by another party, the data controller must:

  • Choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing being carried out; and
  • Take reasonable steps to ensure compliance with those measures.

The data controller is also required to enter into a written contract with any data processor which requires the data processor to act only on instructions from the data controller and requires the data processor to comply with obligations equivalent to those imposed on the data controller by the seventh principle.

If you are a data controller or data processor and you would like advice on how you can comply with the eight data protection principals or your other obligations under the DPA, please contact our Corporate Commercial team.

Contact Us

Electronic Communications & Direct Marketing

Direct marketing is communication (by email, phone, text or post) of any advertising or marketing material which is directed to particular individuals.

Direct marketing is now a focus of government policy.  The government wants to make it easier for the Information Commissioner’s Office (ICO) to fine companies in non-compliance of the rules.  It is recommended that compliance with the law on consent to direct marketing should be treated by businesses as a board level issue in the context of corporate risk.  Failure to comply with the rules can lead to reputational damage, loss of goodwill, loss of customers, fines, regulatory and legal action, and criminal prosecution.

There are strict direct marketing rules, however the application of the rules differ according to the type of communication and whether the recipient is an individual or corporate subscriber.  Individual subscribers include residential subscribers, sole traders and non-limited liability partnerships.

Opt-in or Opt-out

Consent by an individual subscriber to receive marketing by email must be obtained via an ‘opt-in’ method rather than ‘opt-out’. This means that a consumer must tick a box to consent to receiving electronic communications rather than tick a box stating that they do not wish to receive them.

For post and non-automated telephone marketing individual subscribers have the right to ‘opt-out’ and to register free of charge with the Mail Preference Service (MPS) or the Telephone Preference Service (TPS).  Although the relevant legislation does not require the “opt-in” method for non-electronic communications the ICO advises that it is best practice to obtain “opt-in” consent in all circumstances.

Even where a subscriber has “opted-into” direct marketing (or not “opted-out”), the subscriber must be given the option to “unsubscribe” following receipt of marketing.  Businesses must always provide a valid address to enable the subscriber to unsubscribe.  The ability to unsubscribe must be clear on the face of the marketing.

The rules are much more lenient in relation to corporate subscribers.  Corporate subscribers do not have a statutory right to opt-out of direct marketing prior to such marketing (whether by email, phone, post or SMS).  This means that the opt-in/out tick box is not strictly required for corporate subscribers.  However, the guidance from the ICO is that even where the subscriber is a corporate entity it is best practice to gain consent by an “opt-in” mechanism or in the very least an “opt-out” mechanism.  Further, although prior consent is not required by law, the corporate subscriber must be given the option to “unsubscribe”.

Buying and selling data

It is recommended that, as a minimum, businesses should commit to reviewing and implementing the ICO’s guidance relating to collecting and buying data. The following ICO guidance should be made clear in business policies:

  • Inform other companies in the data chain when a consumer has opted out of marketing calls or texts.
  • Businesses relying on third party consent should satisfy themselves that the consent was not obtained from the consumer more than six months before it is used.
  • Third party consent will not be sufficient to override TPS registration and businesses that purchase data must screen against the TPS all telephone numbers obtained.
  • Businesses should record proof of consent in a format that can be used by future recipients of the data.

Contact Us

Meet Our Specialists

Home-grown or recruited from national, regional or City firms. Our specialists are experts in their fields and respected by their peers.

Joanne Henderson

Joanne Henderson

Jo is a Partner in our Employment department.

Carla Murray

Carla Murray

Carla is a Partner in our Corporate Commercial department

David Jones

David Jones

David is a solicitor in our Employment department

Suzanne Townley

Suzanne Townley

Suzanne is a solicitor in our Corporate Commercial department