News and Events

Data protection: Should businesses be worried?

  • Posted

Data protection: Should businesses be worried?

With British Airways (BA) and Marriott receiving notices of proposed fines from the Information Commissioner’s Office (ICO), the regulatory body that enforces data protection policies in the UK, businesses should be taking proactive steps to implement good data protection practices. Provisionally, the fines stand at £189.39m for BA and £99.2m for Marriott, although the actual amounts are to be determined following negotiations between the ICO and the offenders. The fines demonstrate the importance of businesses taking the necessary steps to protect personal data and to carry out appropriate levels of due diligence in corporate mergers and acquisitions.

The ICO has recently published guidelines dispelling myths surrounding cookie policies. Websites using cookies are required to set out what cookies they use and why and to obtain consent from the user to store or retrieve information on their computer, smartphone or tablet. This can be contained in a cookie policy. The rules on the use of cookies are contained within the Privacy and Electronic Communications Regulations (PECR) rather than the General Data Protection Regulation (GDPR), although some of the key concepts within PECR now come from the GDPR.

Businesses may think that they can rely on a justification to set cookies and therefore do not need consent. The reality is that PECR will always require the consent of the user for non-essential cookies. Another misconception is that cookies used for analytics are always necessary and therefore do not need consent. However, they are not part of the functionality that the user requests when they use an online service and therefore, they may not be necessary and will require consent. Finally, the ICO states that it may appear that they are trying to discourage the use of cookies altogether, however, this is not the case. It states that it “supports innovation but that can’t always be at the expense of people’s legal rights” and that cookies “are important in ensuring the smooth running and convenience of much of the digital world. It is simply a matter of using them in a legally compliant way.”

The ICO itself was using implied consent for users that were browsing its website on mobile devices, which means that cookies were used automatically unless the user changed the settings, thus breaching the GDPR. The ICO has admitted to the breach and it has stated that it is in the process of updating its policy. This highlights the importance for businesses to take responsibility whilst fixing any potential breaches. With even the ICO breaching GDPR, expert advice is essential.

If you would like to discuss how BakerLaw can help, please contact Simon Porter by emailing or calling 01252 730 754.

This article is not a definitive statement of the law. It is designed as a free update on the law at the time of publishing. It is not a substitute for legal advice on specific facts and circumstances. BakerLaw LLP and/or the writer accepts no liability or responsibility for reliance on this article and recommends that you seek independent legal advice on your specific circumstances prior to taking any steps.