Data protection: why you should undertake regular maintenance

In recent years, when our team has been undertaking sale or purchase transactions relating to companies, we have come to expect that the transaction documents will include an indemnity in favour of the buyer against any failure of the target company to comply with its legal obligations in relation to data protection.  Given that data protection law, namely the General Data Protection Regulation (GDPR), has been a part of the business landscape in the UK since 2018, why are buyers routinely concerned about the likelihood of the target company’s failure to comply?

Part of the issue is that, in many companies, data protection tends to have the status of a necessary evil in compliance terms, rather than being part of their DNA. This is understandable particularly in relation to companies whose main operation uses other people’s data as an incidental to their trade rather than a core element of it and whose owner managers are hard pressed in other areas.  Our experience is that companies have often bought an off the shelf package of documents or have cut and pasted policies from others’ websites and have not undertaken regular updating or maintenance of data or data protection policies/privacy notices since doing so.   

A few key considerations from a data protection perspective

At this point, it is worth a reminder about what good compliance looks like. 

Amongst other things a company should be able to demonstrate the following:  

Accountability: that it is processing personal data lawfully. There should be an ability for a company to demonstrate that it has identified a lawful basis under the UK GDPR to process data lawfully and that individuals have been notified that their data is being processed (and for what purpose). This information is typically provided by way of privacy notices.

Transparency: transparency is a fundamental principle under UK data protection law. Ideally, a company will ensure that it has informed the relevant data subjects about how their personal data will be used, particularly where a change in ownership or purpose of processing is anticipated. Direct marketing: if direct marketing is critical to the company’s operations, there is a need to comply with the relevant conditions under the Privacy and Electronic Communications (EC Directive) Regulations 2003, also known as PECR. These are principally concerned with specific rules on marketing by electronic means, including marketing via email, with the aim of protecting people’s privacy. Essentially, businesses that intend to send electronic marketing must comply with both PECR and the UK GDPR. The principal thrust of these rules is to ensure that appropriate and current consent has been given by recipients of direct marketing materials to receive them and that the company has appropriate reasons for retaining their data and for using it in the way that they do.

Data processing records:  companies should have records of what personal data they hold, including third party data, why they hold it, what they use it for, who it is shared with and how long they will hold it for.

Third party processing: most businesses will instruct third parties to process personal data on their behalf. These processors frequently include external payroll providers or providers of remote server storage (including cloud services).  Companies should retain and be able to demonstrate the contractual terms which apply to these services and ensure that they are compliant with data protection law, in particular in relation to transfers of data out of the UK (for example, for holding in overseas located data centres). 

So what can businesses do as a matter of best practice?

1. Introduce a data protection checklist: a tailored list can help ensure that all relevant data protection considerations are addressed at each stage of the transaction. This should identify the types of personal data involved and assess the lawful basis for processing.  
2. Record keeping: ensure that the company has a formal written record of its processing activities and that it is kept up to date. These records are key to providing a comprehensive overview of ongoing data processing activities and are a mandatory requirement in certain circumstances.
3. Review privacy notices and policies. companies should ensure that their privacy notices are up to date and accurately reflect the purposes for which personal data is processed. This is key to demonstrating compliance with the principle of lawfulness, fairness and transparency.
4. Assess international data transfers. ensure that if data is or may be transferred out of the UK (for example, to or by cloud services providers) that the appropriate contractual safeguards are in place and can be demonstrated to be in place.

Why does it matter?

Whilst the Information Commissioner’s Office has significant powers to deal with data protection breaches and non-compliances, its tendency to date has been to concentrate on larger companies, higher profile situations and data breach as part of criminal activity including fraud.  The lack of attention paid to SME’s carrying on ordinary businesses in the usual course has led to neglect on the part of many SME’s.  Whilst this may not have an immediate effect, the ICO’s policy may change.  Poor data protection priorities may also get in the way of a sale transaction, either because of its potential for adverse impact on the target company in the hands of the buyer, or by creating an impression of a cavalier approach to compliance as a whole.  It is also likely to have an adverse effect on the terms of a sale transaction.

Our Data Protection & Privacy team provides a variety of data protection services, including assisting companies to implement best practices that comply with UK data protection laws.  Please email mspencer@prettys.co.uk for more information.