IN May of this year, to great media fanfare, the EU’s General Data Protection Regulation 2016 (GDPR) became law in the UK, through the introduction of the Data Protection Act 2018.
The new rules apply to any organisation which acts as a “data controller”, being an organisation which holds or processes any personal data relating to a living individual (a data subject).
Personal data has a wide definition and its ambit covers any information from which a living individual can be identified (eg. name, address, email address, phone number, image, description).
Equally, any more general information held by an organisation which would allow for an individual to be identified would also amount to personal data for the purposes of the GDPR.
In that context, any individual about whom any trader holds personal data will have rights which need to be observed by the data controller.
This applies equally to any customers, patrons or guests whose information is held as well as any employees/staff who are engaged to work.
There are certain common issues that arise for those working in the licensed trade when considering GDPR obligations.
However, before highlighting some of these, the first and perhaps most important thing to remember is that an organisation is only permitted to hold and process personal data where it has a legitimate basis for doing so.
There are seven potential bases set out in the GDPR, five of which could potentially be relied upon by those operating in the licensed trade.
• the data controller has the data subject’s consent to hold/process the data
• that the processing is necessary for the performance of a contract
• it is necessary for compliance with legal obligations
• it is necessary to protect the individual’s vital interests or
• it is necessary for the legitimate interests of the data controller and there is no overriding reason to restrict processing.
It is important for any data controller to be able to clearly point to one of these bases so as to allow them to hold and process personal data.
Some of the more common matters which see a crossover between GDPR obligations and requirements for the licensed trade are: holding required statutory information about personal licence holders, deliveries, use of CCTV, sign-in books for private members’ clubs, and marketing.
I will examine these matters in greater detail in the next issue of SLTN.
The new law is in its infancy and the Information Commissioner’s Office website (ico.org.uk) contains lots of useful advice and guidance on how to stay on top of matters.
Having clear written policies and forms will ensure that organisations adhere to the standards now expected of them.
In regards to the issues detailed above, that would require having a data protection impact assessment setting out the basis for holding data, the use to which that data is to be put and the other parameters for holding the data.
Such records will be invaluable should any complaints be raised by data subjects about the use to which their personal data is being put.
• Stephen Connolly is a partner at Glasgow legal firm Miller Samuel Hill Brown.