Data Privacy For Beginners
Last updated: 2021-06-02 (originally published on 2019-10-22) — by Ching Hei Cheung
With the uprising of technology as an indispensable facet of the business market, transactions between companies and consumers have never been more convenient and efficient. However, with this transition towards an increasingly technology-based business industry comes a plethora of security scares and privacy breaches. Ensure that your company issues the appropriate documents and data policies in order to keep your consumers informed about how their data is being used online.
It’s Happening Now
Data privacy has quickly become an issue of increasing urgency. From social media scandals to privacy and security threats, discussions about personal data and the role of consent in today’s cyber age of online transactions are extremely prevalent. For all businesses at any stage of lifecycle, all data, including that of customers, employees, and business partners, is considered the company’s most valuable and irreplaceable asset. Apart from data security concerns that the company should be informed about, you should also note that there are legal obligations on how personal data should be handled, which govern and dictate the way in which a business should run on a daily basis so as to ensure absolute confidentiality and privacy.
Firstly, a Data Protection Policy
As many companies utilise the efficiency and convenience of technology as a major component of their business to maximise their outreach and network, it is important to consider the fact that if your business uses computer equipment, operates online, or even uses email to conduct business correspondence and transactions, you need to ensure that you put in place an effective data protection policy.
While the practice of conducting business transactions online has become increasingly popular and grants proximal productivity, it nevertheless demands an even more stringent degree of regulatory processes. These will ensure that employee, client, or partner information does not risk being leaked. A leak will surely jeopardise the reputation of your company and its relationships with customers.
A data protection policy is an internal document serving as the core of an organisation’s privacy compliance practices, thus, demonstrating compliance with the General Data Protection Regulation (GDPR) for businesses in the EU, and above all, an awareness and acknowledgement of the importance of data confidentiality.
It is recommended that every data protection policy include the purpose of the policy which, for EU companies, should entail its relation to complying with the GDPR. Also a definition of various key terms within the policy such as controller, processor, data subject, etc, its scope and who exactly it applies to, as well as the main principles of data protection and how your company intends to hold itself accountable to these guidelines. It may be useful for your business to appoint someone as a Data Protection Officer (DPO), of which his/her contact information should be included in this document.
Data Request Form
Alternatively, through the use of online business transactions and correspondence, the client or consumer also possesses the ability to issue a Data Request Form and obtain a copy of their personal data as well as other relevant supplementary information. This type of information may be requested for a myriad of reasons, but most importantly, it demonstrates the company’s willingness to keep its customers informed about how and why it is using its information, and ensure that these processes are legal.
From a business standpoint, an individual, whether it be a customer or employee, is entitled to obtain the following information from your company:
- Confirmation that you are processing their personal data;
- A copy of their personal data; and
- Other supplementary information – this corresponds to information that you may choose to include within your company’s aforementioned Data Protection Policy.
An individual only has the right to obtain information regarding their own personal data, and not to information relating to other people, unless the information is also about them or they are acting on behalf of someone. Therefore, it is important that your company and its employees are clear on what your data policy entails and whether the requested information directly relates to their personal data.
Data Request Response Letter
Ultimately, your company should issue a Data Request Response Letter as common practice in response to the individual’s request, which is also easily accessible through Zegal’s customisable templates curated specifically for any business’ clients and customers. Other information that individuals have the right to obtain include:
- The purposes of processing personal data;
- The recipients you disclose the personal data to;
- The retention period for storing personal data or the criteria for determining how long the information will be stored for;
- The safeguards you provide if you transfer personal data to a third country or international organisation.
Data Erasure Request Form
Conversely, under Article 17 of the GDPR, individuals have the right to have personal data erased, often referred to as the ‘right to be forgotten’. However, this is not an absolute right and is subject to certain limitations to which it may not apply. In any case, an individual may issue a Data Erasure Request Form, available on Zegal for your convenience, but may only be granted approval in the following circumstances:
- The personal data is no longer necessary for the purpose which you originally collected or processed it for;
- The business is relying on consent as the lawful basis for which the data can be held, and the individual withdraws their consent;
- The business has processed the personal data unlawfully;
- The business is relying on legitimate interests as a basis for processing personal data, and there is no legitimate interest to continue the processing.
Data Erasure Request Response Letter
Thus, the business may, through the issuance of a Data Erasure Request Response Letter, either grant the individual the ability to have his/her information erased, or reject this request, stating its justification for not doing so in its response letter. Examples of circumstances whereby the right to erasure does not apply includes cases whereby the personal data is being used to:
- Exercise the right of freedom of expression and information;
- To comply with legal obligations;
- For the establishment, exercise, or defence of legal claims.
Data privacy is often considered one of the most laborious, time consuming, and meticulous components of modern business, whether it be a startup or established company. What’s more, with advancements to technology rapidly evolving day by day, employees and customers alike often demand more stringent means of protecting the data that they are entrusting a business with.
Thus, it is extremely important that your business issues all the relevant data request forms and privacy policies. And we’re here for you. All these templates are available right here on Zegal to make your life much easier and help you to maintain a loyal customer base, reinstate the values of the company as a whole, and reassure consumers by implementing means of protecting private data.
This article does not constitute legal advice.
The opinions expressed in the column above represent the author’s own.
Ching Hei Cheung is a first-year law student and aspiring solicitor studying at the University of Bristol. She is involved in a myriad of extra-curricular activities such as debating team where she has obtained first place in a national competition judged by a panel of legal professionals from Baker McKenzie, commercial awareness society and pro-bono society, in order to refine existing skills in public speaking and negotiations, as well as develop a greater understanding of the commercial market that encapsulates the everyday workings of the legal sector.
No results found
Freelancer Guide to IR35
If you're a freelancer in the UK, you'll be needing to understand whether you fall under the scope of the new IR35 regulations or not.
How to be outside IR35
With the April tax changes in the UK, consultants, freelancers, and contractors may need to make some small adaptions to the way they work to make sure they can clearly be outside IR35 for their next tax return.
ZEGAL SEES HUGE CUSTOMER GROWTH IN THE UK
Zegal, the end-to-end legal platform for small businesses, launched in Australasia, sees tremendous growth in the UK.
How does Share Vesting work?
Share vesting is the process by which a company gives its equity to its employees or consultants. Find out how exactly share vesting works:
Zegal and 360 Law Group to help bolster the UK small business economy
Zegal, the end-to-end legal platform for small businesses, and 360 Law Group, give UK companies ability to control their own legals from home
What is IR35?
You may have heard the term bandied around but what exactly is IR35? If you are self-employed, or employ contractors of any sort, you need to invest some time investigating this term.
Am I Inside or Outside IR35?
The new UK IR35 rules for off-payroll employees refer to a person's status as being either inside or outside IR35. Here's what that means:
Optimizing Document Workflow While Remote Working
Documents are an essential part of business operations. Learn how to maintain and optimize the document workflow while working remotely.
Legal Considerations When Starting a Small Business
Knowing what you need to iron out when opening your business will help you to avoid extraneous costs in the future as well as potentially saving you from losing your hard-built business if you run into any legal battles.
Virtual Assistants: Game Changers for SME Customer Engagement
Virtual assistants have many essential roles to play providing support services to small and medium businesses. Basically, they are contractors who work to provide administrative services for SME clients.
The 8 Best Software Tools For Small Business
Choosing the right software tools for your small business that will do most of the job with minimal effort —and most importantly— affordably, is essential.