Lesser known Data Protection snippets in the UK

It’s always difficult to start these things off, but I recently shared the contents of this page in a networking meeting I attended. They were gratefully received so I thought it would be good to share them on here too.

This page all relates to data protection in the UK for UK nationals to take notice of. Some of what is here are lesser-known legal requirements others are thoughts of how you can achieve best practice in your own business, or organisation.

To start with compliance for data protection in the UK takes more than just registering with the ICO. Registration is a requirement for any business, or any association, club, or organisation, but that is only the start. 

Financial penalties for non-registration range from £400 to over £3,000 and there are further penalties available to the ICO should further non-compliance be found.

At the time of writing this article the EU had granted the Data Protection Act 2018 and the full UK legal framework equal ranking with the EU GDPR. This means that if someone is trying to sell you EU GDPR compliant frameworks because the UK data protection if sub standard from an EU perspective, they should not be listened to. It is true, however, that for certain aspects of cross-border data transfer further documentation and controls should be in place. However, that was also true before the UK left the EU.

Compliance with the legal framework is made up of two types of documentation, externally viewed documentation and internal documentation. Both types are equally vital as one should reflect the other.

The externally viewable documents are your privacy policy, your terms and condition and, if required, your service contracts. Each of them should have a summary of the relevant parts of your internal policies. If either type of document is missing it is most likely that you will be seen as not compliant by the ICO should they need to investigate your business, or organisation.

Unfortunately, the internal documentation required will vary from business to business, or organisation to organisation. It is true to say though, that three policies will be required to convince the ICO, upon investigation, that you have considered what you are doing and that you are taking steps to get better and better with how you approach the control of all data and, in particular, personal information.

There are three internal policies that are most important. These are: a) Data Policy b) Marketing Policy and c) Information Security Policy.

Data Policy

A data policy (of some description) with basic information of why data is collected, how it is used, how it is stored and how it is destroyed. This should cover the three types of data, physical (or printed) data, electronic data (including photographs and videos) and voice data, like recordings of telephone conversations and voicemail messages. 

It is important to note that some requirements may be externally set in other laws. Like HMRC regulations that requires financial information to be retained for a minimum of 6 years and the Companies Act 2006 required to keep certain personal information mentioned at board level for 10 years.

Marketing Policy

Different to a marketing strategy, this document sets out what type of marketing you are allowed to do and where, and/or when, you would rely on data, and especially personal information, when marketing to your clients and/or potential clients.

There are many detailed restrictions to be considered in the Privacy and Electronic Communications Regulation 2003 (PECR) that also need to be considered when constructing this policy.

Information Security Policy

This policy isn’t just about changing your passwords regularly. For the modern business there are a plethora of electronic wizardry to assist you on your administrative, marketing, and financial journey. All of them, software and hardware alike, have floors and weaknesses that the regulations have some definite things said about them. Use of biometric data, most commonly used on smartphones, have the potential to identify people as easily as using their photograph on a website, or a social media post.

A close look at your processes is required to make the correct assessment about how appropriate your actions are.

Other useful bites that are part of the legal framework are:

  1. a) every data breach has to be recorded whether or not it is reported to the ICO.
  2. b) any report to the ICO has to be completed within 72 hours of being made aware of a breach (even an interim one). So just hope that you don’t get told of a breach on a Friday afternoon, it’ll ruin your weekend.
  3. c) Consents that are provided as part of your normal processes have to be regularly reviewed. The format of the review is up to you, but only relying on people “unsubscribing” to a marketing list would not be considered as best practice.