Current Data Protection Issues
1. Post-Brexit data protection issues
Data protection legislation remains the same for now, under the Data Protection Act 2018. If the country in question is in the EEA or has an EU adequacy decision, then there’s no need to take any special precautions when transferring data to that country. The UK will make its own decisions about which other countries are safe in the future, but, until then, you can rely on the previous decisions from the EU.
One post-Brexit area that is new is the need to appoint an EU representative in certain circumstances. For example, where you offer goods or services to EU citizens but don’t have an office in the EEA. This is something that you should check and put in place if you haven’t already done so. You can read more about it here: ICO guidance on EU representatives.
2. Covid-19 vaccination data
The effects of COVID-19 have been significant. We all have a role to play to protect ourselves, our families and our communities. Understanding the legal basis for collecting and holding vaccination data on employees is important for businesses. With consent, they can then use this to keep staff and customers safe.
3. Photographic data
It is important to think about:
- the kind of photos and videos you hold that include your employees;
- why you hold them; and
- how you use them.
For example, on passes to identify people and permit access to premises, or to show your team on your website. You need to be clear with your employees about how photographs of them will be used and what consent you rely upon for this use. If an important member of the team later withdraws their consent for using their image for marketing purposes, you might need to remove their image from your website.
You should regularly review your policies to keep them up-to-date and compliant.
4. Subject access requests and other rights
Under the old data protection law data subjects could make subject access requests for a nominal fee, to see what data you hold about them They still have this right, but there is no fee chargeable now. However, people are now starting to use some of their new rights under GDPR – for example, the right to restrict processing, or the right to erasure. You must make sure you:
- are equipped to deal with SARs and these other rights;
- have trained your staff; and
- have systems in place to implement this.
If you fail to comply, and the requestor complains to the ICO, remember a lack of resource is not a good reason not to deal with these requests.
5. ICO guidance may be out-of-date
The ICO website can be a great tool fro data protection guidance, but we’ve found some of their documents include pre-GDPR guidance. So be wary of using older ICO guidance.
One of the fundamental things that changed with GDPR, was how you obtain consent. Previously in many situations consent could be implied, e.g. if the data subject could fairly be assumed to know the nature and the purpose of the collection of their data. With the current definition of consent, the bar is much higher, and, as a result, implied consent is generally no longer a good option.
As the nature of business has changed, the role of data and its protection has also changed. We recommend regular audits and reviews of your policies and practices, to make sure you stay compliant.
We hope you enjoyed this article on the main current data protection issues. If you are still unsure of GDPR, Legalo has a great (very detailed) free guide on it and, in particular, how it applies in marketing situations.