Data protection doesn’t apply to agricultural businesses – does it?
Biometric data, cookie identifiers, IP addresses – these technical terms relating to data protection seemingly have no relevance to the agricultural sector. However, recent changes are to legislation mean that data protection law is something that agricultural businesses have to take seriously.
What is personal data?
Data protection law protects personal data. This means information relating to an identifiable living person – such as customer contact details, employee files and email addresses. For example, if you have a database of email addresses that you use to send out special offers to customers of your farm shop, you need to make sure that you comply with data protection law.
In May 2018, new legislation - the General Data Protection Regulation (“GDPR”) - came into force. It extends individuals' data privacy rights and introduced a new culture of “accountability”. Penalties for breaches of the law increased to a maximum of 20 million Euros, and organisations are now required to self-report serious data breaches within 72 hours. This means that it is more important than ever to comply with the legislation.
Complying with the law
Businesses need to make sure that they can show:
- a proper legal reason for holding and using personal data – such as the need to fulfil a contract or that they have the consent of the individual concerned;
- that they are complying with the data protection principles – for example, that the data is up to date, that it is stored securely and that it is not kept for longer than is necessary;
- that they are complying with the individuals’ rights – such as an individual’s right to see what data is held about them, the right to have their information erased, and the right to object to use of their data.
To avoid hefty fines, agricultural businesses should now:
- conduct an audit of the personal data that they hold and the reasons for holding it;
- tell people what they are going to do with their data;
- ensure that consent to processing data is recorded;
- review their data security arrangements – use strong passwords on computers, encrypt portable devices, keep employee files in locked cabinets; and
- ensure that staff have been trained in data protection law.
Organisations have to move away from seeing data protection as a “box ticking exercise” towards building a “culture of privacy that pervades an entire organisation”. The Information Commissioner has emphasised the business benefits of being perceived as an organisation which respects the privacy of individuals, and foresees that this issue could well play a role in consumer choice.
For further help or advice, please contact Partner and Data Protection Law specialist, Louise Connacher, on 0113 2802108 or firstname.lastname@example.org
Please note this information is provided by way of example and may not be complete and is certainly not intended to constitute legal advice. You should take bespoke advice for your circumstances.