Take Measures to Limit your Liability

24 Jun

If you have to ask yourself the question, “Does my organisation engage in data processing?” the answer is “probably.” Any marketing or sales analysis you do on information collected from customers is classified as data processing.

Article 2(b) of the Data Protection Directive defines said activity as anything included in the following: collecting, retrieving, recording, organising, storing, disclosing and making available data. And new EU legislation is about to tighten the screw on unauthorised uses of customer data. For this read anything for which the customer did not give their unambiguous consent.

And be vigilant about which third parties you pass on the data with which you have been entrusted. Be aware of its intended use, and be sure if you are selling database information that the organisation is licensed. Selling personal data without an ICO licence can constitute a criminal offence.

Just One Example

The famous case of Google Spain SL v Agencia Española de Protección de Datos (hyperlink) showed just how easy it is for a plaintiff to find a corporation liable for misuse of an individual’s data. Google’s search engine spiders, in the automatic process of indexing websites and connecting them with what it deems their keywords and subject, picked up an unflattering article about the original plaintiff Mario Costeja González.

Google Spain SL v Agencia Española de Protección de Datos

When his name was searched for on Google, pages appeared from La Vanguardia newspaper announcing a real estate auction as a result of proceedings for recovery of social security debts owed by Mr Costeja Gonzalez. He argued successfully that this was a misuse of his personal information; though the complaint against La Vanguardia newspaper was not upheld, even when Google appealed the verdict, as it had published the information lawfully.

While this finding by the European Court of Justice was an unusual event, it did set an important legal precedent. There is increased scrutiny on companies to hold themselves accountable for all the uses which personal data is put to, and take measures to prevent emotional or financial damage to the individuals concerned. If not, they lay themselves open to civil lawsuits as well as punitive fines when the General Data Protection Regulation (GDPR) comes into force in 2018.

Changing Legal Obligations

Think about whether your terms and conditions, and your privacy statement, cover every contingency in case of the possibility that someone claims an infringement of their rights, or a breach occurs.  These legal documents will need updating soon to remain compliant with the new provisions of the GDPR.

Any website which collects a customer’s financial data lays themselves open to responsibility for identity fraud. Any website collecting personal data such as that pertaining to medical or relationship history is potentially problematic. And even, now, fitness levels, with some US employers starting a trend of providing healthcare perks in return for workers’ submitting to fitness tests. The results are submitted in a ‘random, anonymous sample’ for data analysis by specialist companies such as 23&Me in Mountain View, California. Castlight, based in San Francisco, offers employers predictions as to the probability of workers’ getting pregnant or requiring expensive surgery, based on healthcare searches and insurance claims on its app.

If all that is not enough to scare you into doing your due diligence, this story of an ICO raid (hyperlink) on a house in Sheffield should persuade you that illegal data usage is a real threat. The organisation under suspicion emailed countless companies and institutions offering to buy and sell databases – including the ICO! But it was doing so without a licence, and to companies which would use the information to make nuisance calls.


It is so easy to inadvertently violate data protection regulations. So protect yourself now.






Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: