This article is written by Harriet Jones, a partner at IBB Law in England, specializing in commercial matters including data protection. For more information, visit IBB Law on the web at www.ibblaw.co.uk.
This article is published in the Volume 1, 2022, issue of VantagePoint magazine. (You must be logged in to wsae.org to access VantagePoint magazine online.)
The General Data Protection Regulation (GDPR) caused concern in some parts of the world when it was introduced in 2018. Some businesses thought the only way to be compliant with GDPR was to delete all personal data from their systems. However, although you might need to make a few changes regarding how you treat personal data, the principles of GDPR are largely common sense and compliance should not be a huge headache or expense for businesses.
The purpose behind the regulation is to ensure that those holding and using personal data do so in a safe and responsible way, and that data subjects have control over their personal data. So, when thinking about your business’ use of EU personal data, keep it simple:
- Make sure you have legitimate grounds for holding and using personal data.
- Keep it secure.
- Understand the rights individuals have in relation to personal data.
- Keep the data up to date.
- When you no longer need it, delete it.
What is a legitimate ground for holding and using personal data?
GDPR is not all about consent. Most of the time you will collect personal data in order to fulfill a contractual obligation. For example, if you are sending goods to someone in Europe, you would need their name and address in order to send it to them. In this scenario, you don’t need their consent to have and use their data – you require it in order to fulfill the contract, and after fulfilling the contract, it is perfectly permissible for you to hold that data on file for standard record-keeping purposes. And remember, personal data is like any other asset held by your business: you wouldn’t leave business equipment in an unlocked office, so don’t leave data unsecure either.
Does GDPR apply to business data?
Many businesses incorrectly assume that because they only sell to other businesses, and not directly to consumers, they don’t hold any personal data. But a person’s name is personal data, whether they provide their name to a business in the course of their employment or in their personal life.
Communication is key
You need to tell data subjects about the legitimate grounds you are relying on when using their personal data. In the above example, in addition to your own use of the personal data to fulfil the contract, if you use a courier to deliver the goods, you will need to pass their name and address to the courier. So make sure you have told them that you will be transferring their data to a courier. A written privacy policy, which you make easy for people to find and read, should set out the detail of what you do with personal data. Having a link to your privacy policy on your website, and drawing the customer’s attention to that policy when ordering with you, is the easiest way to explain what you do with personal data.
Consent and when is it required?
Consent for holding and using personal data may be necessary if you process special category data such as genetic data or medical data. Many more stringent rules apply if you process special category data or data concerning children. However, the most common reason for a business to rely on consent as the legitimate ground for processing data is where the business wants to send marketing emails. This is because this use of data is unlikely to be the reason that the individual gave their personal data in the first place.
Consent needs to be explicit – it cannot be a pre-checked box or an implied term. And it needs to be as easy for the individual to withdraw consent as it was to give consent. For a lot of businesses, this means the individual needs to actively click in the box to agree to marketing emails, and unsubscribe buttons should be included on all marketing communications.
If a business relies on consent as its legitimate ground for processing personal data, failure to obtain consent can result in a fine and unwanted press coverage. On September 15, 2021, the Information Commissioner’s Office in London (ICO) issued a fine approximately equivalent to $265,746 to UK company We Buy Any Car Limited for sending over 191 million emails and 3.6 million nuisance texts to customers who had not opted in to receiving emails and texts for marketing purposes.
Another recent case involved American Express Services Europe Limited (AMEX) which was issued with a hefty penalty for non-compliance with data protection regulations. AMEX reportedly sent over 4 million marketing emails to customers who had not provided their consent to receive them. The ICO launched an investigation when AMEX customers complained they were receiving marketing emails despite opting out of them. During the investigation, the ICO found that AMEX had sent over 50 million of what they claimed to be service emails to their customers. These were in fact marketing emails, which were designed to encourage customers to make certain purchases using their cards which would benefit AMEX financially. It was described as a deliberate action for financial gain by the ICO, thus not a valid legal basis for using customer data.
Appointing a representative
Businesses outside the EU may need to appoint a data protection representative in the EU, and potentially another in the UK, following the UK’s departure from the EU. This representative can then deal with any issues that arise in the EU in relation to that business’ use of personal data. Not all businesses need to have a representative. If the processing is occasional, for example, a representative may not be required.
Failure to appoint a representative when required can leave a business subject to enforcement proceedings. The Dutch Data Protection Authority (DPA) imposed a fine approximately equivalent to $592,746 on Locatefamily.com, a Canada-based data controller and international website, for failing to appoint an EU representative. The website offers individuals a platform to search for the contact details of family and friends they may have lost contact with. The website (without user consent) frequently publishes personal data of individuals, namely addresses and phone numbers for thousands to see and have easy access to – including individuals who aren’t even registered with the website. Individuals in the EU wanted personal details to be removed from the website, but this wasn’t particularly easy because Locatefamily.com did not have a data protection EU representative. This was considered a major breach of GDPR and meant those located within the EU were unable to turn to anyone for information on how to exercise their privacy rights. Several complaints were raised and the DPA, along with nine other European privacy supervisory authorities and the Office of the Privacy Commissioner of Canada, were required to act efficiently to address the company’s non-compliance with GDPR rules.
Take the right advice
Non-compliance with the rules can lead to an investigation, a fine or both – but don’t simply delete your data. Instead, review your data policies and take some practical, commercial advice on what you can do to incorporate the GDPR common sense principles into your business.