One of the major developments in the world over the last 18 months is, of course, the effect of COVID-19. Many organisations are currently grappling with the question of whether they can or should ask for vaccine information about staff. In data protection terms, it is possible to collect and hold this information, but you need to be very clear about why you are collecting it, and think carefully about the legal basis you are using, and how you communicate this to staff.
It can be really helpful to hold and use images and videos of your employees – whether for identification purposes to allow access to a building, or as a marketing tool on the website. It’s important that you are clear with employees what you are doing with these images, how they might be used, and what legal basis you rely upon for this use.
If you were to rely on consent for marketing purposes, for example, what happens if an individual initially consents, but then withdraws that consent? How difficult would it be to provide access to the building or to remove their image from your website or printed brochures? What would be the cost of this? We recommend a regular review of data protection compliance in any event, but it may be worth checking your current policies, and what you’ve said/done in the past to make sure you are compliant going forward.
The Information Commissioner’s Office (ICO) has updated most of its guidance, but there are still some documents available which refer to the “old” pre-GDPR regime. These documents are useful as a guide, but if you are using pre-GDPR guidance, it’s worth checking it before relying upon it.
As an example, there were lots of situations pre-GDPR where you would rely on consent, because consent was relatively easy to get, and could be implied. With the current definition of consent, the bar is much higher, and subsequently not always the best option. If the ICO guidance you’re reading is therefore pre-GDPR, we recommend reviewing in more detail before placing reliance on it.
Subject Access Requests (SAR) are not going away, and individuals are starting to use other rights alongside the right to receive information – such as the right to restrict processing, or the right to erasure. Businesses need to make sure that they are equipped to recognise these rights, and have the systems in place to deal with them once they are received.
The ICO is a relatively pragmatic regulator, but lack of resource is not a reason to not deal with these requests. Keeping in contact with the requestor is always a good tip – particularly if you are likely to miss the deadline or need clarification. The search is also a key aspect of dealing with a SAR, and if you can get the search parameters right at the outset, you can save yourself a lot of work when it comes to the page by page review.
The effect of Brexit ended up relatively painless in relation to data protection. In terms of making transfers to overseas companies, the rules remain the same for now – which means that if the country in question is in the EEA or had an EU adequacy decision pre-Brexit, you can send information without additional safeguards. The UK does have the power to make its own decisions about which countries are “safe” so new lists will eventually appear, but for now, we can rely on the EU decisions.
One area that is new, is the need to appoint an EU representative in certain circumstances – such as where you offer goods or services to EU citizens. If you are a UK-based organisation, with no other offices, and you are working with EU customers, this is something to check and put in place if you haven’t already done so.
As businesses adapt and change to new ways of working and new technologies become more widely available, it is inevitable that data protection law will have to keep up, so we should expect changes in guidance and even potentially legislation in the future. Data protection is an ongoing obligation, which means we recommend regular audits/reviews to make sure that you are ready for change, rather than reacting to it.