This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
JANUARY 2013


Legal Focus


61 Data Protection Compliance UK


Data Protection issues graced the news pages again recently with Prudential being fined £50, 000 for seriously breaching the Data Protection Act by mixing up two customers with the same name and date of birth, resulting in tens of thousands of pounds of retirement funds ending up in the wrong account. The error, which took several years to be rectified, highlights how easily problems can still arise around data protection, and that it is an area that can never be neglected. To find out more, Lawyer Monthly speaks to Bridget Treacy, Managing Partner of Hunton & Williams’ London office and head of the UK Privacy and Information Management practice. Bridget’s practice focuses on all aspects of privacy and information governance for multinational companies, including big data and analytics, cloud computing, cross border data transfers, behavioral targeting and data breach.


according to reports, the Ico received more public complaints about the financial sector for the way their information was handled than any other sector. What are your opinions on this?


Information is an increasingly valuable asset for businesses across all sectors, yet there are significant legal restrictions when it comes to dealing with data that is deemed “personal”. With individuals becoming increasingly aware of their own privacy rights, the ICO has an important role to play. The reportedly high number of complaints about the financial sector are likely to be linked to unsolicited spam texts or emails relating to accident claims and payment protection insurance. The ICO has made it easier for individuals to complain about such abuses by including a complaints form on its website. Just this month, a marketing company which sent some 840,000 illegal SMS text messages a day, received monetary penalties totalling £440,000.


How do you think companies can guard against a repeat of the problem Prudential encountered recently?


This was, notably, the first monetary penalty under the DPA that did not relate to a data loss, a reminder that data protection is not just about data security. In the EU, for example, organisations are also required to satisfy a range of other data obligations including stipulations to process data fairly and lawfully, for limited purposes, and to ensure data are not retained unnecessarily.


With this in mind, organisations must adopt a structured approach to ensure they know what personal data they hold, what they are permitted to do with it, and that the data are processed in accordance with the other requirements of the DPA.


are current data protection regulations simple to comply with or are there multiple complexities?


There are always complexities, particularly when


it comes to accommodating the requirements of multiple jurisdictions. That said, organisations can simplify such challenges by adopting an holistic approach to data protection, knowing what data they collect and how they process it, and employing a structured approach to privacy risk assessment. This also allows organisations to utilise data for a wider range of commercial activities.


What are the main complexities?


Reconciling rapidly evolving technology and data processing activities with the constraints of existing law, which is somewhat out of date, is challenging. For example, organisations increasingly wish to utilise cloud-based technologies, yet EU restrictions on the cross- border transfer of data from Europe, and the need to create a chain of responsibility that identifies those organisations that play a role in processing personal data, can create near insurmountable difficulties.


Other routine complexities include the need to satisfy a legal basis for the data processing activity in the first place (personal data may only be processed in reliance on a valid legal basis, which may include consent); the need to ensure that staff are aware of data protection issues and understand how their actions can enhance or endanger data assets; and the need to simply be aware of the extent of their data assets, and of how to utilise or safeguard them.


Has the amount of data protection-related challenges risen considerably as the growth of technology becomes more and more rapid?


Yes. As organisations seek to learn ever more about their customers and enable very targeted service provision, data processing has become much more sophisticated. However, such data strategies must be implemented in the right way. Every organisation should undertake a structured privacy impact assessment, likely to become mandatory under the new EU data protection


www.lawyer-monthly.com


regulation, before using personal data in new ways.


Is there anything else you would like to add?


Data is frequently described as the “new currency”, the “new oil” or the “crown jewels” of modern business. Given its inherent value, organisations must ensure that personal data assets are managed in a legally compliant way. Failure to do so may result in regulator enforcement, reputational harm or lost opportunities. LM


Visit Hunton & Williams’ privacy blog at www.huntonprivacyblog.com, and our EU data protection regulation tracker at www.huntonregulationtracker.com.


contact details:


Bridget treacy Partner


Hunton & Williams 30 St Mary axe London Ec3a 8EP


Phone: +44 (0)20 7220 5731 Fax: +44 (0)20 7220 5772 Email: btreacy@hunton.com Website: www.hunton.com


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72  |  Page 73  |  Page 74  |  Page 75  |  Page 76  |  Page 77  |  Page 78  |  Page 79  |  Page 80  |  Page 81  |  Page 82  |  Page 83  |  Page 84  |  Page 85  |  Page 86  |  Page 87  |  Page 88  |  Page 89  |  Page 90  |  Page 91  |  Page 92  |  Page 93  |  Page 94  |  Page 95  |  Page 96  |  Page 97  |  Page 98  |  Page 99  |  Page 100  |  Page 101  |  Page 102  |  Page 103  |  Page 104  |  Page 105  |  Page 106  |  Page 107  |  Page 108  |  Page 109  |  Page 110  |  Page 111  |  Page 112