In this new series of insights, we debunk common data protection misconceptions and explain how Tozers can help your business comply with the regulatory framework.
“My business only needs to worry about protecting a customer’s bank details, payment information and medical records.”
This is incorrect and will likely put your business in breach of data protection legislation.
What is personal data?
Personal data refers to information that relates to an individual and is not limited to sensitive information such as bank details, payment information, and medical records. The individual must be identified or identifiable directly or indirectly from one or more identifiers or factors specific to the individual. All personal data must be protected.
If customer data such as names, addresses, email addresses and phone numbers falls into the wrong hands, and the breach is likely to result in a risk to the rights and freedoms of natural persons, you will need to report it to the Information Commissioner’s Office (‘ICO’) and you may face sanctions. Equally, if you misuse an individual’s personal data you will fall foul of the regulatory framework and may be sanctioned.
Why does all personal data need protecting?
Ensuring the security of personal data is essential for:
· Ensuring an individual’s right to privacy;
· Maintaining confidentiality;
· Preventing identity theft;
· Preventing discrimination; and
· Protecting and maintaining your business.
Personal data is valuable – it has a significant economic value as it can be used to predict behaviour, influence interests and target customers for repeat business. If certain conditions apply, a business can process personal data for specific purposes but if not, the individual should enjoy their right to privacy.
What happens if we don’t?
The ICO is the UK’s largest independent body set up to uphold information rights. It has various enforcement powers, for example:
1. Issuing notices that require you to provide certain information.
2. Issuing enforcement notices that require you to take, or refrain from taking particular steps or actions.
3. Issuing monetary penalties if you contravene network and information systems up to a maximum of £17 million.
Examples of reprimands include:
· Data records not protected due to software vulnerabilities. On 30 July 2024, the ICO reprimanded the Electoral Commission after hackers gained access to servers containing 4 million records, including names and home addresses.
· Using “CC” rather than “BCC”, revealing the email addresses of recipients of emails. In April 2024 the ICO reprimanded the Central YMCA for identifying/potentially identifying individuals who were likely to be living with HIV from their email address. They were fine £7,500.
· Names and addresses of other residents made available. In April 2024 the ICO reprimanded Clyde Valley Housing Association for releasing a new customer portal where users could view the names and addresses of other residents for six days until they suspended the portal.
· Unsolicited marketing messages. In December 2023 the ICO reprimanded Daniel George Bentley, the sole trader and director of Taipan Trading Ltd as a result of him and his company sending over 2.5 million unsolicited text messages to individuals.
What are the special categories of personal data?
Personal data referring to an individual’s:
· Race;
· Ethnic origin;
· Political opinions;
· Religious or philosophical beliefs;
· Trade union membership;
· Genetic data;
· Biometric data;
· Health data;
· Sex life; or
· Sexual orientation.
There are stricter rules for processing special categories of personal data.
What about criminal convictions?
Personal data can include information relating to criminal convictions and offences and requires a higher level of protection.
How can Tozers help me?
Everyone responsible for using personal data (which includes storing) has to follow strict rules and lawyers play a crucial role in navigating the complex legal landscape surrounding personal data.
Tozers’ expert Data Protection Team can help you comply with the regulatory framework by:
· Providing advice and guidance.
· Discussing data protection impact assessments and technical and organisational measures to mitigate or manage the risks you identify with new systems.
· Drafting bespoke data protection policies.
· Providing training to staff.
· If the worst happens, providing written representations to the ICO to dispute any penalty notice.
If you require advice, speak to one of our legal experts today in a no-obligation phone call.