This article continues from where we left off in Part 1, addressing more common questions around data protection, privacy rights, and compliance.
We recommend reading Part 1 first, as it covers key foundational topics and includes definitions of important terms used throughout both parts. For clarity and context, all defined terms referenced here are explained in that initial article.
Does a business need a data protection complaints procedure?
The DUAA introduces new requirement for businesses acting as data controllers to establish a formal process to handle data protection complaints.
Specifically, these businesses must now:
- acknowledge receipt of complaints within 30 days of receiving them;
- take appropriate steps to investigate and respond to complaints without undue delay, including making enquiries into the subject matter of the complaint and keeping complainants informed of the progress; and
- notify complainants of the outcome of their complaint, again without undue delay, providing a clear explanation of any action taken (or not taken) and the reasons for that outcome.
These obligations introduce a formal right for data subjects to raise complaints directly with businesses, something that was previously only encouraged within the guidance provided by the ICO. By codifying these expectations, the DUAA ensures that data subjects are given a clear and accessible route to raise concerns with the businesses that determine the purposes and means of processing their personal data.
What are data subject access requests?
Data subjects have the right to access or receive a copy of their processed personal data. To access this information, data subjects can submit a subject access request (SAR).
There is no prescribed method for making a SAR. SARs can be made by a data subject either verbally, in writing or even on social media, as long as it is clear the data subject is asking for their own personal data.
Businesses acting as controllers must respond to SARs without undue delay and, in any case, within one month of receipt. Upon receiving a request, businesses should make a reasonable effort to find and retrieve the requested information. The information provided in response must be sufficiently intelligible to the person making the request.
Any information given in response to the request must be provided to the data subject free of charge, unless the request is manifestly unfound or excessive, or the data subject is asking for multiple copies.
Does a business need a data protection officer?
A data protection officer (DPO) must be appointed in the following circumstances, whether acting as a controller or a processor:
- public authorities and bodies, except for courts acting in their judicial capacity;
- businesses whose core activities consist of processing operations which require regular and systemic monitoring of data subjects on a large scale; and
- businesses whose core activities consist of large-scale processing of special category data or data related to criminal convictions or offences.
Despite an appointment not being mandatory in other circumstances, many still consider the appointment as part of their requirement under UK GDPR to implement data protection by design and default. Any business that appoints a DPO, whether voluntarily or not, will become liable for ensuring that the appointment complies with the provisions of the UK GDPR.
What is a data protection impact assessment and when should a business complete one?
A data protection impact assessment (DPIA) is a formal procedure which is used by businesses to assess the impact of data processing activities. DPIAs must include a systematic description of the processing operations, the purpose of the processing, an assessment of the necessity and proportionality of the processing, an assessment of the risks to the rights and freedoms of the data subject, and the measures envisaged to address the risks posed to the rights and freedoms of the data subjects. The controller can ask a processor to help with a DPIA, however, the controller remains responsible and accountable for any DPIA carried out.
A business must complete a DPIA before beginning processing activities likely to result in a high risk to the rights and freedoms of their data subjects. An example of such processing activities includes where the decisions have legal or similarly significant effects on individuals. To determine whether or not processing activities are likely to be high risk, businesses must take into account the nature, scope, context and purpose of the processing.
Businesses may need to repeat a DPIA for a processing activity if there is a substantial change to the nature, scope, context or purposes of their processing.
What are cookies and does a business need a cookies policy?
Cookies are a small text file that is downloaded onto a person’s computer when they visit a website. The information stored on the cookie essentially acts as an internet user’s ID card, allowing the website to recognise when that internet user returns. Cookies have a number of uses including remembering a user’s preference, tracking a user’s activity and regulating which advertising appears on the website for that particular user.
Under PECR, businesses are required to obtain user consent before placing most cookies on a user’s device. This applies whether the data on the cookie is personal or not. No other lawful basis set out under Article 6 of the UK GDPR, such as for a legitimate interest, will be sufficient for cookies.
The data protection regime does not specify what information should be provided about cookies or how it should be delivered. However, it does require businesses to provide “clear and comprehensive” information about how cookies work and the businesses’ purpose for using them. This enables users to make informed choices and understand the potential consequences of allowing the cookies. This is similar to the transparency requirements under the UK GDPR.
Businesses using cookies must therefore provide a clear and comprehensive notice fulfilling these information requirements. This information must be provided at the time and place where consent to use cookies is sought. To fulfil consent and information obligations a cookie banner and a cookie policy are frequently used together.
Some cookies, such as those that are strictly necessary to provide a service explicitly requested by the user, do not require consent. The DUAA has recently extended this exemption to also cover cookies that collect information for statistical purposes and those that enhance the functionality of a business’s website.
What data protection documents should a business consider having in place?
To fulfil their data protection requirements under the UK’s data protection regime, a business should consider having the following documents in place.
- A privacy policy
- Data processing agreements
- Data protection and impact assessments
- A data protection complaints procedure
- A data retention policy
- A data disclosure policy
- Cookie notices
What happens if a business breaches the data protection regime?
Where a business has breached the UK GDPR or DPA, the ICO has the power to issue monetary penalties. Under the UK GDPR and DPA there are two tiers of penalty, the higher maximum and the standard maximum.
The standard maximum amount is the higher of a fine of £8.7 million or 2% of the total annual worldwide turnover. Instances where a business may be subject to such a fine include where a business fails to meet its administrative requirements under the legislation.
The higher maximum amount is the higher of £17.5 million or 4% of the total annual worldwide turnover. Such fines may be applied by the ICO where a business fails to comply with a data protection principle or a data subject right.
The DUAA has also increased the ICO’s maximum monetary penalty under PECR from £500,000 to £17.5 million or 4% of the total annual worldwide turnover, aligning their powers under PECR with the UK GDPR and DPA.
How To Get In Contact
If you require assistance with any aspect of data protection and privacy law, or have questions about your legal obligations, please contact our Data Protection and Privacy team on 020 3987 0222 or email info@culbertellis.com.
