• 23 Apr 2024
• •
• 4 min read

Data protection law - mistakes and misconceptions

One of the main reasons an organisation should comply with data protection law is to give data subjects confidence that the organisation can be trusted and takes compliance seriously. This confidence can be easily undermined if mistakes are made, so in this article we highlight some lesser known data protection law mistakes and misconceptions: 

1. Electronic marketing is governed by the UK GDPR and PECR (Privacy and Electronic Communications Regulations), it is not an either/or situation. This means that even if your electronic marketing is UK GDPR compliant that doesn’t mean it is complaint with PECR. Admittedly, the fines which can be imposed for breaches of PECR are currently a lot lower than those which can be imposed for breaches of the UK GDPR (although this will change if the proposed reforms being considered by the UK government come to fruition), but they are currently much more frequent. 

2. A privacy policy is an internal policy document (i.e which explains to an organisation’s employees how personal data should be handled). A privacy notice is a document which explains to data subjects (either employees/other staff or individuals outside of the organisation) how their personal data will be processed. An organisation may have more than one privacy notice. Neither a privacy policy nor a privacy notice replaces the need for a data processing agreement between a controller and a processor, despite what some processors may think!

3. Privacy notices must be presented to data subjects when personal data about them is being collected, but organisations do not need to ask data subjects to “agree” to their privacy notice. A privacy notice is not a contract which needs accepting or agreeing to. 

4. An organisation can be an individual controller, joint controller, processor and sub-processor all at the same time and even in relation to the same personal data. What is important is what the role of an organisation is in relation to particular processing of personal data. For example, a SaaS provider may be generally considered a processor when its customers use its platform, but it may wish to be a controller in limited circumstances, so that it can use certain personal data collected for its own purposes for analytics and service improvements. 

5. Corporate email addresses and telephone numbers are personal data, albeit processing of such personal data is likely to be low risk. 

6.  Despite what some scaremongers may have you believe, at the current time in the UK, risk of fines for failure to comply with the UK GDPR is not the main reason to comply with data protection law. Enforcement action and fines for breach of the UK GDPR are currently fairly rare (there were only 2 in 2023 and even then most fines are appealed).

7. Complaints by data subjects to the ICO (Information Commissioner’s Office) are not confidential – they are published by the ICO, even if they are unfounded. 

8. Reporting breaches “just to be on the safe side” when they do not need to be reported is not the way forward. The ICO is actively discouraging such reporting and all reported breaches (even if the ICO take no action) are published.

9. The Data Privacy Framework (DPF) aka the UK/US data bridge does not apply to all transfers of personal data to the US. Firstly, the US importer must be certified to the DPF and certain US organisations are not eligible to certify (e.g organisations such as banks and insurance companies). In addition the type of personal data to be transferred needs to be considered because: journalist data cannot be transferred under the DPF, if HR personal data is transferred this must be called out under the US importer’s certification and genetic data, biometric data for identification, criminal offence data and data concerning sexual orientation must be expressly identified to the US importer as “sensitive” otherwise it isn’t appropriately protected.

10. Non-compliance with cookie requirements will not be overlooked any longer. The EU data protection authorities together with the ICO in the UK are paying much more attention to compliance with the PECR rules relating to cookies. In particular, websites should have cookie banners which make it clear if a website collects non-essential cookies before any cookies are placed, users must be able to reject cookies on the first layer of the cookie banner (i.e. it shouldn’t take one click to accept cookies but two or more to reject) and “dark patterns” shouldn’t be used to push users towards acceptance (i.e accept is in big letters in a colourful box, whilst reject is in small letters in a greyed out box). 

11. It is best practice now for e-commerce sites to allow a “guest checkout” so that shoppers are not required to open an account in order to purchase. 

12. When responding to a data subject access request, you are required to provide the requester with a copy of their personal data – this does not mean that you are obliged to provide a copy of the document / file that contains their personal data (e.g. a transcript of a telephone discussion can be provided rather than the actual recording), although sometimes this may be the easiest way to comply where the information in the document / file is not particularly contentious/sensitive or does not refer to other individuals.

13. Last, but not least, although hopefully this is one we all know, the UK GDPR sets out six bases for processing personal data. Each basis for processing is equal, despite what some people think. Consent is not a trump card and more often than not, it is not the best condition to rely on. 

Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421. 

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].