Scaling Up for Success Seminar
Working in partnership with Smith & Williamson, we are delighted to invite you to ‘Raising Finance – Finance to scale’ seminar, the last in a series of four Scaling Up for Success seminars on Tuesday 15 October at our Southampton office.
Data Protection – How to deal with Subject Access Requests?
Rudd v Bridle
Following the arrival of GDPR there has been a notable increase in the number of subject access requests (SARs) whereby individuals have made formal requests to receive details of the personal data held on them by a business. As these requests can be time-consuming and expensive to deal with, it is no surprise that businesses have been seeking to minimise their efforts responding to a SAR.
The recent important decision in
Rudd v Bridle has examined the whole area of SARs and a number of important principles have been confirmed:
- Who is the data controller in relation to personal data? The simple answer is that this is the party who ultimately decides the purposes and manner in which personal data is being processed – in this case, the court decided that the facts pointed clearly to Mr Bridle being the data controller and not his company – his had important implications as the final court order made was against Mr Bridle personally;
- No right to receive documentation – the person making a SAR has no right to receive documents, but only a right to receive the information comprising his/her personal data –accordingly, businesses can feel emboldened to reject requests for documents;
- What type of information is covered by the term “personal data”? The court decided that the identity of recipients of information relating to the individual making a SAR can be part of the relevant personal data and subject to disclosure where this information is significant in a biographical sense and where its main focus is the individual making the SAR – consequently, “personal data” can be an elastic concept and is not limited to the personal attributes of an individual;
- Withholding information relating to third parties – although the relevant legislation allows certain information relating to third parties to be withheld in certain circumstances, the court was at pains to point out that this did not provide a blanket ban on any third party information being disclosed at all and criticised Mr Bridle for his attempts to do so;
- Exemptions from responding to a SAR – Mr Bridle’s attempts to avoid responding further to the initial SAR were based on the journalistic, regulatory activity and legal privilege exemptions and, in each case, the court held that the exemptions did not apply and that in order to rely upon them, the recipient of a SAR had to have clear evidence that they applied;
- Was the initial SAR response adequate? This was the only issue where the court found in favour of Mr Bridle: as long as the SAR is reasonably intelligible, there was no additional requirement to provide complete paragraphs or sentences in making a response – short, factual statements/comments would be sufficient.
Businesses on the receiving end of a SAR need to be particularly aware of the fact there is a potential risk to directors who could incur personal liability if found to be the data controller and they also need to realise that “personal data” can have a surprisingly wide scope. At the same time, businesses should be comforted by the fact that there is a clear ruling that the SAR does not entitle the individual to receive actual documents.
British Airways to be fined a record £183 million for data breach
The Information Commissioner’s Office (ICO) has published its intention to fine British Airways £183.39 million under the General Data Protection Regulation (GDPR) for serious breach of data protection.
This fine is significant as this is the largest fine the ICO has ever issued; under the preceding Data Protection Act 1998, the maximum fine the ICO was able to issue was £500,000. This is also the first major monetary penalty to be issued under GDPR.
Under the new rules introduced last year by GDPR, the ICO can now issue fines up to a maximum of 4% of the annual worldwide turnover. This fine is a significant amount and represents 1.5% of British Airways worldwide turnover in 2017.
The fine relates to a cyber attack of British Airways’ website whereby attackers were able to direct visitors to a fraudulent website and obtain personal data. The incident reportedly began in June 2018 and affected around 500,000 individuals. Attackers were able to access personal data relating to names, email addresses, log-in details and card payment details.
It is important to note that the ICO has not yet fined British Airways; it has only made public that it intends to fine this amount. British Airways will have around a month to submit its representations, however it will be interesting to see what factors the ICO takes into consideration when arriving at the final penalty for the first major monetary fine to be issued so far under GDPR. This announcement also acts as a reminder to organisations to ensure they have adequate security measures in place when handling personal data.
Scaling Up for Success
Moore Blatch has recently partnered with Smith & Williamson to deliver a series of four Scaling up for Success seminars in 2019 to help founders and senior management teams in businesses that have an ambition to grow and ‘scale up’.
Ensuring distribution agreements comply with UK and EU competition law
UK and EU competition law prohibits anti-competitive agreements between businesses. There are heavy penalties for infringements. When setting up a distribution network, whatever the size, status or sector of your business, it is important to be aware of the main competition rules.
Tech update – Spring Summer 2019
Welcome to the Spring/Summer technology update, where we provide you with the latest information in the technology sector about key issues affecting you and your businesses.
Can we sue our new robot overlords? – The rise in AI and legal liability
The rapid development of artificial intelligence (AI) and machine learning applications is seeing exciting new technologies being introduced to the market across a wide variety of sectors.
Getting out of onerous contracts – The Brexit effect
Whatever your views on Brexit, the ongoing saga is recognised in many quarters as being bad for UK Plc due to great uncertainty as to whether Brexit will actually take place, and if so, on what terms the UK will leave the EU.
Google hit with largest GDPR fine of £44 million
Earlier this year, Google was fined £44 million (50 million euros) by the French data regulator for breaching the data protection rules under GDPR. To date, this is the largest fine issued since GDPR came into force.