Does data protection legislation apply to B2B?
Yes. Business personal data is still personal data and needs a lawful basis for processing and appropriate security measures to protect it, as well as a cradle to grave approach for information assurance and records management.
Do I need to register and pay a fee to the ICO?
Probably yes, but there are some exemptions. There are three tiers of fees, £40, £60 and £2900. Most organisations and sole traders will fall into Tier 1 and Tier 2. The fine for non-payment is £4000.
My Privacy Notice forms part of my T&Cs and people need to agree to it, don’t they?
No. A Privacy Notice never forms part of any T&Cs, and it is never agreed to/consented to or otherwise. See my blog post here and get in touch if you would like me to review and feedback.
Does Brexit mean the GDPR won’t apply after the transition period?
GDPR was written into UK law by the DPA18 and the GDPR is here to stay. Post transition, the UK will more than likely be considered a 3rd country, at least in the short-term. Although organisations will be able to pass data freely to EU countries, a lawful transfer mechanism to pass data into the UK will be needed. Examples of a lawful transfer mechanism are Standard Contractual (Model) Clauses or for multi-nationals BCRs. Whatever you do, don’t do nothing, if you prepare now, you won’t need to panic nearer the time.
Is Cookie data personal data?
Cookies, beacons, trackers (including social media widgets) on websites and in emails fall under PECR 2003, and any of these technologies that are not classed as essential need the data subjects consent before they are dropped onto a device. That law has been around since the update to PECR in 2009. ’Essential’ is something that would cause the site to break if it were not used. Marketing cookies aren’t essential, regardless of how much your marketing team tell you they are.
Is Consent always needed to process personal data?
Not at all. There are six lawful bases for processing non-sensitive personal data, Consent is just one. Given that it must be as easy to withdraw consent as it is to give it, can you imagine trying to withdraw your consent with HMRC? The other 5 lawful bases are: Contract, Legal Obligation, Vital Interests (life and death), Public task, Legitimate Interests.
Are all these GDPR and PECR requirements new legislation?
Not entirely. There are a few new areas such as the right to data portability and a few others, but the requirements aren’t so dissimilar to the DPA98. Rights were strengthened and timescales for Rights fulfilment were shortened to one month from 40 days amongst other changes. If you were processing personal data correctly under the old legislation, the chances are you didn’t need to do too much when GDPR and DPA18 came in apart from document things to evidence your Accountability