Many people get confused about data protection law and I’ve lost count of the times someone has lazily and wrongly told me “You can’t do that because of GDPR”. It seems people know enough to be concerned about compliance, but not enough to do it properly. Are you up to date with the latest developments?
Information about vaccinations
Pimlico Plumbers have said “No jab, no job” about the coronavirus vaccine. You might also want to take this approach but should be careful. First, you must ensure you don’t discriminate against those who haven’t had the vaccine because of, for example, disability or pregnancy. Second, this information is health data and has a higher standard for compliance. What would happen if your list of vaccinated / unvaccinated workers is leaked?
Fines for non-compliance. Damages too
High-profile data breaches by British Airways and Marriott Hotels have raised awareness of the high fines for non-compliance. The ICO levied fines of £20m and £18.4m respectively, although these are much reduced over what was originally threatened. Those companies might also have to compensate the individuals affected if a class action for “non-material damages” is successful. Since compensation to individuals is often £750 per person or more, this could be costly. Let’s see where this goes, but in the meantime, it’s another good reason to ensure you’re compliant.
Sending marketing emails
Clients often ask me if they can send marketing emails since they have heard it is only permissible if the individual has consented upfront. The answer depends of course. Most people know about GDPR. Many people haven’t heard of PECR though. This permits unsolicited marketing emails to corporate email addresses, even ones featuring the recipient’s name. But you must adhere to the safeguards including not contacting them if they ask. There are nuances here which would require a lengthier post, so contact me for detailed advice.
Transferring data to EU and USA
You can continue to transfer personal data freely between the UK and EU. This is because, under the Brexit deal reached at the last minute the UK has promised to mirror EU law – so-called “UK GDPR”. Following this the EU Commission has declared the UK’s law as “adequate” too. The Commission will review this in time in case this changes. For example, the UK Supreme Court is free to reach a different decision on the same law to the European Court of Justice. Remember the ECJ invalidated the US Privacy Shield due to the lack of underlying protections of data. In that case data transfers should be on the basis of the EU’s standard contractual clauses. But be aware that the Commission is about to replace them. And the UK government has threatened to introduce its own version. It’s best to keep my contact details handy!
EEA & UK representatives
Since the UK has left the EU, businesses which have customers but not a branch office inside the European Economic Area might have to appoint a local representative. This is true the other way round too. You may be able to avoid this if you process personal data occasionally, not on a large scale and not in the special categories or criminal offences.
If you need advice, contact me email@example.com or +44 (0) 20 7611 2338.