How to get touch with us over the festive period

Our offices will be closed on 25 and 26 December, and 1 January with no access via telephone or email on these days. On 23, 24 and 27 December you will be able to reach us via telephone, email and our live chat but our offices will be closed to the public. All other dates we are open as usual. 

Complete the form below to ask us a question or make an enquiry. We’ll get back to you via phone or email as soon as possible.

Insights

Debunking Data Protection: What Personal Data Needs Protecting?

Posted on 01st August 2024 in Data Protection

Posted by

Jessica Whittick

Solicitor
Debunking Data Protection: What Personal Data Needs Protecting?

In this new series of insights, we debunk common data protection misconceptions and explain how Tozers can help your business comply with the regulatory framework.

“My business only needs to worry about protecting a customer’s bank details, payment information and medical records.”

This is incorrect and will likely put your business in breach of data protection legislation.

What is personal data?

Personal data refers to information that relates to an individual and is not limited to sensitive information such as bank details, payment information, and medical records. The individual must be identified or identifiable directly or indirectly from one or more identifiers or factors specific to the individual. All personal data must be protected.

If customer data such as names, addresses, email addresses and phone numbers falls into the wrong hands, and the breach is likely to result in a risk to the rights and freedoms of natural persons, you will need to report it to the Information Commissioner’s Office (‘ICO’) and you may face sanctions. Equally, if you misuse an individual’s personal data you will fall foul of the regulatory framework and may be sanctioned.

Why does all personal data need protecting?

Ensuring the security of personal data is essential for:

·      Ensuring an individual’s right to privacy;

·      Maintaining confidentiality;

·      Preventing identity theft;

·      Preventing discrimination; and

·      Protecting and maintaining your business.

Personal data is valuable – it has a significant economic value as it can be used to predict behaviour, influence interests and target customers for repeat business. If certain conditions apply, a business can process personal data for specific purposes but if not, the individual should enjoy their right to privacy.

What happens if we don’t?

The ICO is the UK’s largest independent body set up to uphold information rights. It has various enforcement powers, for example:

1.    Issuing notices that require you to provide certain information.

2.    Issuing enforcement notices that require you to take, or refrain from taking particular steps or actions.

3.    Issuing monetary penalties if you contravene network and information systems up to a maximum of £17 million.

Examples of reprimands include:

·      Data records not protected due to software vulnerabilities. On 30 July 2024, the ICO reprimanded the Electoral Commission after hackers gained access to servers containing 4 million records, including names and home addresses.

·      Using “CC” rather than “BCC”, revealing the email addresses of recipients of emails. In April 2024 the ICO reprimanded the Central YMCA for identifying/potentially identifying individuals who were likely to be living with HIV from their email address. They were fine £7,500.

·      Names and addresses of other residents made available. In April 2024 the ICO reprimanded Clyde Valley Housing Association for releasing a new customer portal where users could view the names and addresses of other residents for six days until they suspended the portal.

·      Unsolicited marketing messages. In December 2023 the ICO reprimanded Daniel George Bentley, the sole trader and director of Taipan Trading Ltd as a result of him and his company sending over 2.5 million unsolicited text messages to individuals.

What are the special categories of personal data?

Personal data referring to an individual’s:

·      Race;

·      Ethnic origin;

·      Political opinions;

·      Religious or philosophical beliefs;

·      Trade union membership;

·      Genetic data;

·      Biometric data;

·      Health data;

·      Sex life; or

·      Sexual orientation.

There are stricter rules for processing special categories of personal data.

What about criminal convictions?

Personal data can include information relating to criminal convictions and offences and requires a higher level of protection.

How can Tozers help me?

Everyone responsible for using personal data (which includes storing) has to follow strict rules and lawyers play a crucial role in navigating the complex legal landscape surrounding personal data.

Tozers’ expert Data Protection Team can help you comply with the regulatory framework by:

·      Providing advice and guidance.

·      Discussing data protection impact assessments and technical and organisational measures to mitigate or manage the risks you identify with new systems.

·      Drafting bespoke data protection policies.

·      Providing training to staff.

·      If the worst happens, providing written representations to the ICO to dispute any penalty notice.

If you require advice, speak to one of our legal experts today in a no-obligation phone call. 

Contact our legal experts

Company & Industry

Related Insights

Insights

Police Force Issued with a £750,000 Penalty Notice by the ICO for an Unprecedented and Industrial Scale Data Breach

Posted on 09th October 2024 in Dispute Resolution, Data Protection

In a recent case involving the Information Commissioner’s Office (ICO) and the Chief Constable of Northern Ireland, the ICO issued a penalty notice due to non-compliance with UK GDPR obligations. The incident stemmed from a data breach that occurred during a Freedom of Information Act (FOIA) response. While FOIA requests are typically limited to public authorities, the lessons from this case are relevant to all businesses handling personal data. Read our latest insight for a breakdown of the key points.

Posted by

Jessica Whittick

Solicitor
Insights

Debunking Data Protection Part 2: Can I Use a Template Privacy Notice?

Posted on 05th September 2024 in Data Protection

In this new series of insights, we debunk common data protection misconceptions and explain how Tozers can help your business comply with the regulatory framework.

Posted by

Jessica Whittick

Solicitor