Legal considerations when establishing an online Business

Operating an online business is key in today’s World. So, what are the key legal and commercial issues that you need to consider? Let’s take a look. Setting up your website Domain names Your first priority will undoubtedly be to secure one or more domain names for your website. As well as undertaking a […]

Automated decision making and profiling

Here are some key highlights/takeaways from the Article 29 Working Party (now the European Data Protection Board) (EDPB) guidance on automated decision-making and profiling: Profiling and automated decision-making (whether or not this includes profiling) must not be used in way that has “an unjustified impact on individuals’ rights” and certain protections have been built into the […]

Anonymous and pseudonymous data

The Data Protection Act 2018 (which implements the General Data Protection Regulation 2016) (“UK GDPR”), applies to the ‘processing’ of ‘personal data’. The term ‘processing’ is very broadly defined and covers almost anything that can be done with or to personal data, including accessing, transferring and storing that data (in hard copy or electronically). ‘Personal data’ are data […]

Data portability

Data Portability Under the Data Protection Act 2018 (“UK GDPR”), in certain instances individuals have the right to move or reuse personal data that they have provided to a company from one IT environment to another. This right only exists in relation to personal data which is processed by a controller: on the basis of […]

Direct Marketing

The Privacy and Electronic Communications (EC Directive) Regulation 2003 (PECR) sits alongside the Data Protection Act 2018 (UK GDPR). These laws give people specific rights over how their personal data is used by others. PECR contains specific rules which businesses must comply with when making marketing calls, and sending marketing communications via email, text and fax. […]

DPIA’s and privacy by design and default

Under the Data Protection Act 2018 (UK GDPR), the concepts of ‘privacy by design and default’ and ‘data protection impact assessments’ (DPIAs) will be mandatory for businesses which fall within the category of a controller (which will be pretty much all businesses). What is privacy by design and default? Privacy by design requires businesses to: […]

Appointing a data protection officer

Under the Data Protection Act 2018 (UK GDPR), there are three specific cases when it is mandatory for an organisation (whether a controller or processor) to appoint a single data protection officer (DPO) to facilitate their compliance with the UK GDPR: all public authorities and bodies (irrespective of what personal data they process) but not […]

Personal data breaches and notification requirements

Under the Data Protection Act 2018 personal data must be: ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’ principle)’ A personal data breach must be notified by: The […]

What rights do individuals have under the GDPR?

Under the Data Protection Act 2018 (which implements the General Data Protection Regulation 2016) (UK GDPR), individuals (known as data subjects) have the following rights in relation to their personal data: General principles relating to a right of access – controllers: must be clear: information provided to data subjects must be concise, transparent, intelligible and […]

What are the fines for infringement?

Under the Data Protection Act 2018 (UK GDPR) if a business, whether a controller or a processor, infringes the UK GDPR it could be liable for a substantial fine, and also potentially having to pay compensation to data subjects who have suffered material or non-material damage as a result of their infringement. The ICO also […]