Data Protection Issues
• 20 Dec 21
Data Protection Issues
Personal data could prove crucial to the smooth operation of a business. Even where a business model does not rely heavily on personal data to generate revenue, a business often ends up collecting and processing more personal data than it expects. With that, comes an array of policies you need to adhere to. In this article, we’ll be exploring everything you need to know when it comes to complying with data protection policies for your website.
Data Privacy
Given an increasingly strict data privacy enforcement climate across the globe, it is important for entrepreneurs to ensure that they comply with data privacy laws. A failure to do so could result in hefty fines for regulatory authorities, as well as a tarnished reputation in the market.
While data privacy laws may differ across jurisdictions, a general rule of thumb is that businesses must obtain a data subject’s consent before collecting, using and processing his/her personal data, and must implement proper safeguards to prevent any data breaches.
Comply with Data Privacy Obligations
Businesses often rely on personal data to facilitate smooth operations. However, the proliferation of various high-profile data breaches in recent years has given rise to an increasingly strict data privacy enforcement climate across the globe.
This means that it is becoming increasingly important for start-ups to comply with data privacy laws. A failure to do so could result in hefty fines for regulatory authorities, as well as a tarnished reputation in the market. Yet, start-ups often fail to appreciate the importance of complying with data privacy laws.
Reasons for such a failure may include:
● An underestimation of the amount of personal data that the start-up actually collects and processes
● A failure to appreciate the gravity of the consequences of failing to comply with data privacy laws
Whatever the reasons, start-ups would need to pay attention to their data practices to ensure compliance with data privacy laws.
While data privacy laws may differ across jurisdictions, a general rule of thumb is that businesses must obtain a data subject’s consent before collecting, using and process his/her personal data, and must implement proper safeguards to prevent any data breaches.
Cookie Policies
Web cookies can prove useful for both the website operator and the website user. They allow website operators to track the activities of visitors to the website, in order to facilitate web operations. They also allow for website visitors to engage in web activities with more convenience – cookies for instance allow for passwords to be stored on commonly used sites for easy access, or for visitors to keep track of the items in their online shopping cart.
Yet, the usage of “cookies” also brings up various concerns from a legal and compliance perspective. An immediate concern that may spring to mind for website visitors is whether that privacy rights will be infringed through the use of “cookies”. Likewise, website operators may be concerned that their usage of “cookies” will result in an infringement of data protection laws.
Given the risks involved, it would be prudent for companies that operate websites for business activities to have a cookie policy.
Obtain consent with respect to personal data
The usage of cookies is likely to involve the collection and processing of personal data. This means that the laws and regulations surrounding the collection and processing of personal data apply to the usage of cookies.
Personal data is widely defined to encompass data that can be used to identify an individual. In this regard, there is a very wide range of data that can potentially fall within the definition of “personal data”.
Businesses often collect and process individuals’ personal data for the purposes of their operations. Yet, the data privacy enforcement climate is becoming increasingly strict amidst the emergence of high-profile data breaches.
Besides, data privacy regimes are becoming increasingly consistent as jurisdictions seek to adopt a coordinated approach towards data privacy enforcement. One concept holds true across data privacy regimes worldwide – the requirement for consent to collect and/or process personal data for specified purposes.
A cookie policy informs website visitors of the purposes of the usage of cookies, as well as how website visitors may disable cookies on their web browser.
Requirement for greater accountability to website visitors
Data privacy regimes around the world not only require companies to obtain consent from individuals with respect to their personal data but also to take measures to maintain accountability to individuals who provide such consent (“data subjects”).
Measures that companies may be required to take to maintain accountability include acceding to data subjects’ requests on information with respect to the status of their personal data and how their personal data has been used.
A cookies policy can facilitate such accountability efforts, through various means, such as:
● Providing website visitors with the contacts details of the person whom they are to reach out to, in the event they wish to make certain requests in relation to their personal data.
● Setting out the procedures for conveying data subjects’ requests.
Standalone cookie policy needed in some jurisdictions
In certain jurisdictions, companies are required to have a standalone cookies policy. In particular, the European Union has enacted laws that require websites to post a standalone cookie policy – separate from its privacy policy.
Given the cross-border nature of commerce, it would be prudent for companies to adhere to the high watermark of standards as far as data privacy compliance is concerned, in order to ensure smooth operations across as many jurisdictions as possible.
Harsh consequences of failure to comply with data privacy laws
It is getting increasingly important to comply with data privacy laws and regulations around the world. The proliferation of high-profile data breaches in recent years has resulted in a stricter data privacy enforcement climate across the globe. A failure to comply with data privacy law and regimes could result in hefty penalties, as well as a tarnished reputation. All these could result in huge losses that could potentially cripple your business.
Source of reference for your own personnel
While cookie policies may be public-facing, they may also serve as an important point of reference for your own personnel who operate your website. Cookie policies may serve as a reminder to your personnel on various cookie-related matters, such as to how cookies should be used.
Indeed, this is important as the weakest link in any company’s data compliance ecosystem is human error – after all, we all err from time to time and human error cannot be eliminated. Measures can, however, be taken to reduce human error, and a cookie policy is one such measure.
How to Collect Personal Data Safely
Personal data is generally defined widely to entail information that can be used to identify an individual. This means that personal data extends beyond the information that is traditionally perceived as “personal” (such as one’s name and height), and could even encompass information such as the IP address of one’s computer.
It’s increasingly important for businesses to comply with data privacy laws. A failure to do so could result in hefty penalties, as well as a tarnished reputation.
Let’s examine the measures that businesses can take to collect personal data safely on their websites.
Obtain clear and unequivocal consent
Data privacy regimes across the globe are becoming increasingly consistent as jurisdictions seek to establish unified efforts to prevent data breaches. One concept holds true across data privacy regimes worldwide – the requirement for the concept.
Briefly, data privacy regimes around the world require organisations to obtain consent from a data subject before it collects that data subject’s personal data.
In this regard, it is crucial for organisations to obtain clear and unequivocal consent from data subjects for the collection of their personal data. Measures that organisations may take to ensure that consent is clear and unequivocal include:
● Setting out clearly on the website the proposed purposes for collecting the personal data of the data subject
● Setting out a notice requesting for consent in large font at a prominent area of the web page
● Not providing the individual with further access to the website unless the individual clicks “I consent”
It is also prudent for organisations to keep a record of all consents that they have received from their data subjects, for evidentiary purposes.
Use the data only for specified purposes
The exercise of obtaining consent is hollow if the boundaries of consent are not adhered to. Organisations need to ensure that they use the personal data that they collect only for the purposes that the data subjects have consented to.
Implement proper security measures
Another key measure that organisations should undertake is to implement proper security measures to prevent data breaches. Indeed, this is an obligation that organisations are required to undertake under the data privacy regimes of jurisdictions across the world.
Ultimately, the amount and level of safeguards that would need to be put in place would depend on a range of factors, including:
● The amount of personal data collected
● The level of sensitivity of the personal data involved
● The nature of the services that the organisation provides
● The location of the database where the personal data is stored
While it is ultimately a fact-sensitive enquiry, it is always wise to err on the side of caution, given the grave consequences that follow from data breaches. Given that the chief cause of data breaches is human error, measures should be focused on reducing the risk of human error.
Examples of security measures that organisations may wish to implement may include:
● Restricting access to the database to limited categories of personnel, on a “need to know” basis
● Password-protecting access to the database
● Requiring personnel to adhere closely to notification protocols in the event that they suspect or detect a data breach
● Keep a record of all personnel who access the database
Data transfer agreements
The transfer of personal data to third-party service providers may increase the risk of data breaches occurring. In this regard, it is key to enter into a well-drafted data transfer agreement with the third-party service provider.
Data subjects’ requests
Various jurisdictions (including jurisdictions that adopt the GDPR standards) require organisations to accede to various requests from data subjects in relation to their personal data. These requests may include:
● A request for the organisation to erase his/her personal data from the database
● A request for the organisation to provide an accurate account of how his/her personal data is being used
Accordingly, organisations should implement measures to ensure that they are able to respond to data subjects’ requests promptly. These may entail:
● Having personnel on standby at all times to look out for, and respond to, data subjects’ requests
● Keeping a proper log of how data subjects’ personal data is used
● Implementing a protocol for addressing data subjects’ requests
Other Terms of Use
Businesses may also use legal notices to convey other terms of use with respect to their website, which may be crucial for maintaining the integrity of the website, as well as its business operations.
These terms of use set out the rights and obligations of website visitors with respect to their access to the website, as well as the usage of website content. These terms of use may relate to matters such as:
● Obligation on the visitors not to introduce viruses onto the platform and/or hack into the platform;
● Obligation to indemnify the business for any losses that the business suffers as a result of breaches by the visitors of various provisions in the terms of use; and/or
● Restrictions on the types of content that visitors are permitted to post on the website.
Next steps
When it comes to legal basics, it can seem overwhelming at first. But, it doesn’t have to be. GLS offers a host of free Startup resources to help set you on your way. You can also browse our list of over 200 Legal Templates and Tools, to choose the products your Startup needs at each critical stage of business.
We also offer a wide range of subscription based Legal Support Plans created specifically for Startups who want a 360 degree service in creating their own virtual legal dept.
*The above content does not constitute, nor is it offered as, legal advice of any kind. GLS Solutions Pte Ltd is not a law firm and any support provided pursuant to this entity is not regulated legal advice or legal opinion.