Personal information is precious, and businesses can face financial penalties and reputational damage if they don’t handle it with care or respond properly to requests by individuals for their data.
Do you accept cookies? It’s a question we’re now used to seeing whenever we go online, in those irritating pop-ups that interrupt our web browsing.
It’s all because, since the European Union introduced its General Data Protection Regulation (GDPR), the onus has been on organisations to protect personal data.
This means they must obtain consent for collecting information about individuals – whether that’s by using website cookies or other means – and they must store it safely and ensure people can access data held on them upon request.
Although GDPR originated in the EU, the regulations still apply in the UK despite Brexit. They were adopted into the Data Protection Act 2018, so there is no escape for UK businesses from the penalties that come with a failure to comply,
Those penalties can be severe, with a maximum fine of around £18 million or 4% of annual global turnover – whichever is greater – for infringements. So far GDPR has claimed some high-profile scalps, the largest being a fine of more than €1.2billion to Meta, owner of Facebook.
However, the Information Commissioner’s Office (ICO), which essentially polices compliance with GDPR, is unlikely to slap a huge fine on an organisation which can show it is aware of its data protection obligations and is genuinely trying to ‘get it right’, even if there is room for improvement. There are however also the added risks of damage to trust and reputation for businesses which breach the regulations.
With financial and reputational penalties at stake, it’s important that businesses ensure they understand their obligations relating to Data Subject Access Requests and the use of website cookies.
What is a Data Subject Access Request?
Any individual whose data is held by an organisation (a Data Subject) has the right to find out what personal information that organisation (a Data Controller) holds on them. This request is known as a Data Subject Access Request (DSAR).
This right allows them:
- to obtain confirmation a data controller is processing their personal data
- to access their personal data
- to obtain certain other information about the processing and their rights – such as the right to rectification or erasure of certain information, or the right to complain to the Information Commissioner’s Office
How quickly should I respond to a Data Subject Access Request?
Timing is everything – you must respond within a month of receiving the request. In certain circumstances it is possible to extend the period for up to an additional two months, but the initial response explaining the necessity for the extension must still be sent within a month.
What information is covered by a Data Subject Access Request?
It is key to remember when handling a DSAR that it only relates to the data subject’s personal data.
Personal data is information from which a living individual is identified or identifiable (meaning they can be identified either with or without additional information).
This does not mean it needs to include the name of the individual – for example an IP address can be considered personal data.
As well as identifying the individual, the data must relate to them in some way to be personal data, so it must be data about the individual or their activities.
Must I hand over all documents containing personal data?
No – and this is often crucial when it comes to difficult issues such as employment disputes.
Often DSARs are made by employees or former employees who are involved in an employment dispute with an organisation, or by parties to litigation, in the mistaken presumption that it will entitle them to copies of documents they would otherwise not be entitled to receive.
However, the right is to their personal data, not the entire document containing their personal data. This means you do not have to hand over the entirety of any document containing the personal data – just the data itself.
Are there exceptions where I do not need to comply with a Data Subject Access Request?
There are several circumstances in which a DSAR does not need to be complied with, or where certain data need not be disclosed. It is highly recommended that you seek specialist legal advice to ensure a legitimate exception applies.
DSAR’s that need not be complied with may include:
- Those which are unfounded or manifestly excessive – although you ought to write to the data subject to explain this and not simply ignore the request
- Those where disclosing the personal data to the data subject would result in harm to the rights and freedoms of other individuals. Generally, it is possible to disclose with third party personal data redacted
- Certain other reasons such as the data being protected by legal privilege, or it forming part of the organisation’s management information
What are the laws and regulations covering the use of cookies?
Cookies are small packages of data used to track an individual’s internet browsing across multiple sites and apps. They are the reason why you might look for an item on a shopping website, and later see a targeted advert for that item on a different site.
The use of cookies, website plug-ins and other similar technology is regulated by the Privacy and Electronic Regulations (PECR).
PECR applies whether or not the cookies deal with personal data – in other words they apply to all data, whether anonymised or not. If cookies process personal data then that will give rise to greater security and privacy risks, and GDPR will also apply.
Cookie complaints
It is becoming common for businesses to receive complaints from users of their websites that by reason of the way in which the website uses cookies and other add-in/plug-ins, there has not only been a personal data breach, but also a breach of PECR.
Receiving a complaint letter can be upsetting and intimidating (as well as time consuming), and it is a good idea to seek legal advice to understand the extent of the problem and your response to the complaint. For smaller businesses making an accidental breach for the first time, the Information Commissioner is less likely to act so long as the issue is quickly resolved and improvements made to avoid further breaches.
However, the most effective way of guarding against a cookie complaint is to make sure cookies are properly handled in the first place.
How should my website comply with cookie regulations?
To comply with PECR, a website must:
- Tell visitors that the cookies are there
- Explain what the purpose(s) of the cookies are
- Obtain consent to use cookies
About consent for the use of cookies
For cookies to be lawfully used, the user’s consent must be ‘clearly, freely and actively given’ and must be ‘specific and informed’ – so the user must understand how the cookies will be used and actively opt in by clicking a link or ticking a box.
Simple continued use of a website after reading a cookie banner or statement is not sufficient to constitute consent. Also, the explanation of the fact cookies are there and what they do must be clearly evident for the user’s consent to be considered valid.
For example, you cannot bury the information away in the cookies or privacy policy and you cannot use cookies which go beyond what the user would understand they had consented to.
The website must also enable users to easily enable or disable cookies to ensure that their consent is freely given. The most straightforward way to do this is by having a clear and detailed cookies pop up banner supported by robust cookie and privacy policies.
Are there exceptions to cookie regulations?
There is an exception to PECR for essential cookies. You are able to use these without consent, but they must be truly essential for the operation of the site, not just useful or helpful. It does however remain good practice to provide users with information about these types of cookies as soon as they land on the site.
A website must not set any non-essential cookies before the visitor has provided their informed consent.
