In this new series of insights, we debunk common data protection misconceptions and explain how Tozers can help your business comply with the regulatory framework.
“Downloading a template privacy notice means I am complying with data protection and GDPR”.
This is incorrect and could put your business in breach of data protection legislation.
Who needs a privacy notice?
Any business which holds personal data.
What is the purpose of the privacy notice?
In summary, it sets out:
1. Your identity and contact details;
2. Details of the data protection officer, where applicable;
3. The type of personal data you are processing;
4. Why you’re processing personal data;
5. Your legal basis for processing;
6. If you’re relying on the legal basis of consent for processing, how consent can be withdrawn;
7. How long you are keeping data for;
8. Who you will be sharing it with;
9. Whether there will be any sharing of the data outside of the UK;
10. The period for which the data will be stored;
11. Data subjects’ rights, including how to make a complaint to the supervisory authority; and
12. Whether you undertake any automated decision-making, including profiling.
Is it a legal requirement?
Yes – providing privacy notices is a key requirement of the UK GDPR. Individuals have a right to know how you use their data before they give it to you and a privacy notice should be made available to them in advance. It is a legal requirement to display a privacy notice on your website if that's primarily the way your clients or customers discover your business.
As a processor of personal data you have the responsibility of complying with the law, however small you are. There are very few situations when one is not needed.
What happens if I don’t comply with the regulatory framework?
The ICO is the UK’s largest independent body set up to uphold information rights. It has various enforcement powers, for example:
1. Issuing notices that require you to provide certain information.
2. Issuing enforcement notices that require you to take, or refrain from taking particular steps or actions.
3. Issuing monetary penalties if you contravene network and information systems up to a maximum of £17 million.
In April 2024 the IPO fined TikTok £12.7 million for several breaches, including failing to use children’s data lawfully. Accompanying the enforcement notice was a 58-page annex which considers the specific wording of TikTok’s privacy notices over two years and sets out why the ICO concluded that the wording did not meet the requirements of GDPR. Whilst many organisations may consider privacy notices a mere formality, the ICO take them seriously and not following the rules could cause significant financial and reputational risks for your business.
How can Tozers help me?
Every business responsible for using individuals’ personal data (which includes storing it) has to follow strict rules and lawyers play a crucial role in navigating the complex legal landscape surrounding personal data.
As well as helping you ensure you have an appropriate privacy notice in place Tozers’ expert data protection team can help you comply with the regulatory framework by:
· Providing advice and guidance.
· Discuss data protection impact assessments and technical and organisational measures to mitigate or manage the risks you identify with new systems.
· Drafting data protection policies.
· Providing training to staff.
· If the worst happens, provide written representations to the ICO to dispute any penalty notice.
If you require advice, speak to one of our legal experts today in a no-obligation phone call.
