BMJ March 2019

orderForm.title

orderForm.productCode

orderForm.description

orderForm.quantity

orderForm.itemPrice

orderForm.price

orderForm.totalPrice

orderForm.deliveryDetails.name

orderForm.deliveryDetails.accountNumber

orderForm.deliveryDetails.phone

orderForm.deliveryDetails.poNumber

orderForm.deliveryDetails.email

orderForm.deliveryDetails.companyName

orderForm.deliveryDetails.billingAddress

orderForm.deliveryDetails.deliveryAddress

orderForm.deliveryDetails.deliveryDetailsDeliveryAddressSameAsBillingAddress

orderForm.deliveryDetails.address1

orderForm.deliveryDetails.address2

orderForm.deliveryDetails.city

orderForm.deliveryDetails.state

orderForm.deliveryDetails.postCode

orderForm.deliveryDetails.country

orderForm.deliveryDetails.additionalInformation

orderForm.noItems

NEWS EXTRA PRACTICAL GUIDANCE ON COMPLYING WITH DATA PROTECTION LAWS

Carl Johnson, head of regulatory at Stephensons Solicitors, looks at the practical aspect of complying with the latest data regulations.

LATE LAST YEAR, a motor industry employee was given a six-month prison sentence for accessing thousands of customer records containing personal data without permission, using his former colleagues’ log-in details to access a software system that estimates the cost of vehicle repairs. The UK’s data protection regulator, the Information Commissioner’s Office (ICO), brought the prosecution under the Computer Misuse Act 1990. Most cases are usually prosecuted by the ICO under the Data Protection Act. However, in some cases, it can prosecute under other legislation—in this case section 1 of the Computer Misuse Act — to reflect the nature and extent of the offending and for the sentencing court to have a wider range of penalties available. Of course, as is well known, the law in this area changed when the General Data Protection Regulation (GDPR) came into force in the UK in May 2018. The GDPR governs how businesses (known as data controllers) handle the personal information of their customers and employees. It significantly strengthens the regulation of data controllers – providing the ICO with powers to impose substantial fines for non-compliance. It also provides individuals with an array of rights which consumers and employees can look to enforce via the courts. There are huge financial penalties available to the ICO for cases of non-compliance – with fines of up to 4% of a company’s annual global turnover for the preceding financial year or the equivalent of around £18 million – whichever is greater. On this it’s worth noting, as the BBC has reported, that supermarket Morrisons has

8

recently been found vicariously liable for a data breach that saw thousands of its employees’ details posted online. Workers brought a claim against the company after an employee stole the data, including salary and bank details, of nearly 100,000 staff. While he was jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data, the ICO found that Morrisons had not breached data protection law.

And in November 2017, Jewsons had to warn customers that the personal data of up to 2000 customers was at risk following a data security breach. For many businesses, ensuring full compliance with the law will be a sizeable task, however,

taking the following steps should provide a good starting point:

Audit data processing activities

Firms should consider where, when and how they process personal data. They should map their processing activities so they can identify all types of data processing that the company carries out. They should then seek to ensure that they have a lawful basis for each type of processing that they are conducting. The lawful bases for processing are: ‘consent’, ‘performance of a contract’, ‘legal obligation’, ‘vital interests’, ‘public interest/ exercise of official authority’ and ‘legitimate interests’. Whether one of the above applies to any particular type of processing will depend entirely

on the circumstances. Additional conditions also apply to any processing of ‘special categories’ of data – such as information about a person’s health – which is prohibited unless further conditions are met.

Review contracts/ service agreements with ‘data processors’ Data processors are those who process personal data on a someone else’s behalf. A good example of this is where a company outsources its payroll to an external company. In that instance, the external company is a data processor. The law requires data controllers to ensure that they only appoint data processors who have provided sufficient guarantees regarding their GDPR compliance. The law also

www.buildersmerchantsjournal.net March 2019

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Page 13 | Page 14 | Page 15 | Page 16 | Page 17 | Page 18 | Page 19 | Page 20 | Page 21 | Page 22 | Page 23 | Page 24 | Page 25 | Page 26 | Page 27 | Page 28 | Page 29 | Page 30 | Page 31 | Page 32 | Page 33 | Page 34 | Page 35 | Page 36 | Page 37 | Page 38 | Page 39 | Page 40 | Page 41 | Page 42 | Page 43 | Page 44 | Page 45 | Page 46 | Page 47 | Page 48 | Page 49 | Page 50 | Page 51 | Page 52