You Ask, We Answer: Data Protection Edition

Jess Pembroke, Head of Data Protection, Becky Hall, Information Governance Manager, and Sofia Carroll Information Governance Manager, answer your questions surrounding Data Protection:

“What are legal basis for data protection?”
Whenever handling (processing) personal data (for example photographs or documents) there needs to be a lawful basis. This lawful basis is essentially a gateway in law (GDPR) that states that you can use personal data for a certain purpose. There are six lawful bases for processing personal data, and these are:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

Having a good understanding of these legal basis is crucial to ensure your organisation is processing data fairly and lawfully. 

“Do we need consent to share data for marketing purposes?”
Making sure that you have an individual’s consent to contact them for marketing purposes is a key part of complying with the applicable legislation. Under data protection law an individual can object to their data being used for marketing purposes as their data is being processed with their consent. In addition to the UK General Data Protection Regulation organisations must comply with the Privacy and Electronic Communications Regulations (PECR).

In some cases, you might be able to rely on a ‘soft opt-in’ to contact individuals about similar goods or services but you must give them the option to opt out when you collect their data and whenever you contact them. However, the ‘soft opt-in’ is limited to only certain situations such as existing customers, or similar products and services but this cannot be used by certain organisations such as charities.

“What policies should organisations have in place to be compliant with data protection law? What role do policies play in demonstrating compliance with data protection regulations?”
If your organisation is processing special categories of personal data and criminal offence data it must have an Appropriate Policy document in place.

Organisations must have a privacy notice but this shouldn’t be confused with policies which are documents outlining the organisations approach to compliance.

Organisations should have in place a:

• Data Breach Policy
• Data Rights Policy
• Complaints Policy
• Data Sharing Policy
• Information Risk Policy or Overarching Risk Management Policy
• Data Protection Impact Assessment Policy/Procedure
• Records Management Policy
• Mobile device and a home/remote working policy
• IT Security/Acceptable Use Policy

Naomi Korn Associates have a range of template documents available to our clients. For more information about our document services please see our Data Protection services: https://naomikorn.com/services/data-protection/. 

 “What do we need to consider about children and privacy? What special protections apply to children’s personal data under data protection laws? How can my organisation handle children’s data ethically and legally?”
Recital 38 of the UK GDPR states that: “Children require specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child…”

Children have the same rights as adults over their personal data in some cases children can make their own request for their personal data.

Privacy notices should be clear and understandable for children, explaining data processing and their rights.

When offering online services directly to a child, only children aged 13 or over can provide their own consent. For children under 13, consent must come from whoever holds parental responsibility, unless the service is preventive or counselling. Children’s personal data used for marketing or creating profiles requires special care.

The ICO Children’s Code is a statutory code of practice that sets out how online services likely to be accessed by children should comply with the UK GDPR when using children’s data. If your organisation is processing data which falls within this code, you must comply.

If your organisation is covered by the ICO Children’s Code, Naomi Korn Associates can conduct an audit of your compliance with this code. For more information about our audit services please contact info@naomikorn.com.

Eager to learn more about Data Protection? Naomi Korn Associates’ next Data Protection Essentials course, a fundamental two-part online workshop which  provides a practical and hands-on approach to understanding data protection. Participants will gain the knowledge and skills needed to navigate data protection in real-world scenarios. Attendees will also gain an understanding of the UK’s key data protection legislation (the UK General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018). (6 CPD Points, next 18 & 19 September, 9:30am-1pm).

If you’re looking to build on your Data Protection knowledge, our upcoming intermediate course is a perfect opportunity: Lawful Digital Marketing and Consent, which explains the regulatory framework for conducting lawful marketing via electronic means. Participants will not only gain knowledge of key laws operating in this sphere – the Privacy and Electronic Communications Regulations and the UK General Data Protection Regulations – but will also understand their relationship in a marketing context. The course addresses a knowledge gap when consent is needed to lawfully send marketing messages to individuals and how to demonstrate compliance when obtaining valid consent (including for cookies). This is achieved with accessible explanations of the rules, real-life examples and case studies. (3 CPD Points, next 31 July, 9:30am-1pm).

Each of our intermediate courses can be taken as an individual course or as part of our Intermediate Certificate (available in Copyright and in Data Protection). For further information, please see our ‘Certification and Accreditation’ page. For a full description of all courses, please see ‘Our Courses’ page. For a full online timetable, please go to our ‘Online Courses’ page. If you have any queries or would like to get in touch, please reach out to our Training Manager at info@naomikorn.com.