In May 2018 the General Data Protection Regulation (GDPR) redrafted the rule book on data protection and required many (if not all) businesses to review and update the way in which they processed personal data, otherwise risking exposure to significant fines by the Information Commissioner’s Office (ICO).
For example, notable penalties of £183 million and £99 million were proposed against British Airways and Marriot Hotels respectively in the summer of 2019 as a direct result of their failings to adequately safeguard the personal data of their customers.
Whilst breweries and online distributors are unlikely to process personal data on such a large scale, it is important to be aware that as a bare minimum, such businesses will certainly collect and process personal data every time a new customer places an order (e.g. name, postal address, email address, telephone number and bank details).
Below is a non-exhaustive list of issues that brewers and retailers should consider in the context of their websites and ordering systems, to evaluate whether or not they are compliant or currently failing to meet the legislative standards.
- Cyber security: You should review your cyber security to make sure that customer personal data is adequately protected from cyber-attack which could lead to a data breach. The ICO is responsible for investigating data breaches and non-compliance with data protection laws and has the power to fine businesses up to the greater of €20 million (or the sterling equivalent) or 4% of total annual worldwide turnover of the business for non-compliance.
- Privacy policy: Websites should include a link to your privacy policy which sets out (i) what personal data you collect, (ii) where that data is collected from, (iii) how that data is collected, (iv) what the data is used for, (v) how long the data is retained for, (vi) the lawful basis you are relying on to process that data, and (vii) what rights the customer has in respect of its personal data. This helps to demonstrate compliance with the GDPR and the Data Protection Act 2018 and you should also include relevant contact information such that customers can ascertain who to contact in the business in the event that they wish to exercise their rights.
- Cookies: When placing cookies on your website, you are responsible for ensuring that you have all necessary customer consents for the use of those cookies and that you are complying with the requirements of GDPR and the Privacy and Electronic Communications Regulations (PECR). A cookies policy should be visible on the website setting out which cookies are utilised and the basis for using these. If any cookies you use require consent (such as Google Analytics), you should also have a cookies acceptance banner, allowing customers to set their cookie preferences.
- Website terms of use and acceptable use: This should include provisions dealing with access to, and use of, the website. It should include information about you as the website owner, rights to modify or withdraw the website, disclaimers for material published on it or linked to from it, rules about how such materials may be used and about unacceptable user behaviour such as hacking, introducing viruses and uploading illegal or defamatory content.
Depending on the level of personal data being processed by a business, it may be worth commissioning a full GDPR audit to assess and subsequently rectify any shortcomings in the manner in which you process personal data. Alternatively, you might feel that your business is largely compliant but would benefit from a privacy policy or other relevant policy being drafted by an experienced professional.
Please do not hesitate to contact the author, Daniel Finn, or co-author Lydia Loxham should you wish to discuss this topic or any other commercial or corporate matters.
