Confidentiality and personal data issues arise in many commercial transactions. Often these issues arise in ways people do not appreciate. Yet, you risk stringent non-compliance penalties, criminal sanctions, large fines, and civil liability.
The Information Commissioner enforces the Data Protection Act 1998 with wide-reaching powers. These days. we see the Commissioner becoming more active and collecting larger fines. Individuals as well as companies are liable.
We suggest executives understand their obligations under the Data Protection Act, and institute the correct procedures and consents before any transaction.
How Gannons supports your business
Clients use Gannnons to:
- Ensure staff, when acquiring and using data, understand the business and regulatory risks;
- Protect vital data such customer and supplier data, know how, intellectual property or financial information;
- Register: the associated duties of, and take responsibility as, a data controller;
- Manage Subject Access requests, and head off demands for document trawling
- Understand their legal responsibilities when e.g. client, employee, and financial data including data obtained via marketing, subscription or online trading.
- Institute appropriate legal paperwork and policies. For example, create a Data Protection policy covering all business functions including outsourced functions;
- Create procedures to ensure compliance with your Data Protection policy.
Data protection situations requring vigilance
These situation often pose risks:
Business purchases
Here the issue is how to disclose information to a prospective buyer and ensure your data is processed fairly and lawfully. In pre-sale disclosures, perhaps anonymise the information and/or sign confidentiality agreements. The requirement for fair processing of information extends to dealing with the transfer of data on completion of a commercial agreement.
Obtain consent
In some circumstances consents will be needed from data subjects (usually employees or customers). Free and informed consent must be given especially for the processing of personal data and in the case of employees this may not be possible. However, in the case of a transfer of an employee’s contract of employment to ensure continuity of the employee’s job a balance exists that could probably justify it depending on the employee’s “legitimate interest”. This is often beneficial in a commercial transaction as it would often not be practical and/or desirable to have to contact each individual who is a “data subject” to provide consent.
Sensitive data
Sensitive personal data is defined as “racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life, or commission of or proceedings for any offence committed or alleged to have been committed by the data subject”. There are more onerous conditions governing the processing of sensitive personal data. Explicit consent from the data subject is required. Breaches relating to sensitive personal data are likely to be viewed more seriously by the Information Commissioner and there are considerable powers under the Data Protection Act for non-compliance.
Data exports
Data processed outside the EEA is prohibited unless an adequate level of protection can be provided (save for some limited exceptions). We can guide you through the process and the countries that provide adequate protection.
Data protection policies
It is advisable for employers to have in place a data protection policy. We are frequently asked to assist in drafting these policies, which are often contained in employee handbooks. We can advise on updates to employee handbooks required to remain compliant with the Data Protection Act.
Joint ventures
Issues arise both prior to the contract being signed and on completion for example where their will be on-line marketing of new services to the other’s existing database. It is not safe to rely on the “legitimate interest” condition in a joint venture scenario. Businesses cannot send communications electronically by text or e-mail without specific consent. It is best practice to have a joint form of notice to data subjects if both parties will be processing data.
Service providers
Following completion of the contract, the company will begin to transfer personal details of employees, contractors and clients to the service provider. The data subjects must be aware of the disclosure and that the third party is now processing the data. Contract terms with clients can overcome these difficulties and we can advise on where this may be appropriate to rely.
Indemnities and Warranties
Check with us that that you do not take on obligations over which you have no control and no redress if problems arise. The correct drafting of indemnities and warranties in commercial transactions is therefore very important.