Data Protection Solicitors
What is data protection?
Data protection is about protecting personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, and ensuring it is processed fairly. Personal data refers to information relating to a living individual where the individual is identifiable, either through the information on its own or together with other information held.
In the UK, data protection is governed by the UK GDPR (General Data Protection Regulation) and the DPA (Data Protection Act) 2018, which should be read together. All organisations in the UK that process personal data must comply with these laws or risk fines of up to £17.5 million or 4% of annual global turnover – whichever is greater and/or other potential sanctions.
Organisations that send electronic marketing messages, use website cookies, or provide electronic communications services to the public must also comply with PECR (Privacy and Electronic Communications Regulations).
The data protection legislation gives individuals rights as to how their personal data is used and puts rules and limitations on what companies can do with the personal data it holds.
Related experience
Compliance with data protection laws
Compliance with data protection laws is key, but not only because of the risk of financial and other consequences in the event of a breach - good data management saves your business time and also demonstrates to people that you care about treating their personal data with respect. People have never been so aware of how their data is used (and misused).
Data protection impact assessments
A data protection impact assessment (DPIA) is a process to help you identify and minimise the data protection risks of a specific project. This process must be carried out if an activity is likely to result in a high risk to individuals and their data - but it's good practice to do a DPIA for any project that involves the processing of personal data because it demonstrates accountability and increases the awareness of data protection issues within your organisation.
A DPIA should describe the nature, scope, context and purposes of the processing, as well as identifying measures to mitigate risks. An effective DPIA allows you to identify and fix problems at an early stage, bringing broader benefits for both individuals and your organisation.
We have good experience of helping businesses with the preparation of DPIAs.
Data sharing agreements
Whilst not mandatory, we encourage our clients to use data sharing agreements. These arrangements implemented between two controllers describe the purpose of the data sharing and explicitly set out what happens to the data at each stage.
Having a data sharing agreement in place helps you and your business demonstrate that you are mindful of the importance of protecting personal data. It's a way to help all parties involved understand their roles in the sharing of data - and the expected standards.
Data processing agreements
A data processing agreement, or a DPA, is an agreement between a data controller, such as a company, and a data processor, such as a third party service provider. Whenever a controller uses a processor, there must be a written contract in place. Similarly, if a processor uses another organisation (a sub-processor) to help it process personal data for a controller, it needs to have a written contract in place with that sub-processor.
Such contracts ensure that both parties understand their obligations, responsibilities and liabilities. The data protection laws set out mandatory clauses to be included in data processing agreements.
Policy documentation
We can provide invaluable guidance in either evaluating existing data protection policy documentation or drafting new documentation from scratch.
We can help with data protection policies, privacy notices, data retention policies and data breach policies.
Data breaches
A data breach occurs when a breach of security leads to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data. For example, this could include personal data being accessed by an unauthorised third party, data being sent to the wrong person or computers containing personal data being stolen.
Data breaches can lead to not only severe financial penalties, but also significant reputational damage. If your business loses trust, it can be very difficult to get it back.
When a data breach occurs, it’s vitally important you act swiftly and obtain legal and operational advice. You have to notify the ICO of a breach if it is likely to result in a risk to the rights and freedoms of individuals. Where this applies, you must report within 72 hours of becoming aware of the breach, where feasible. If a breach is likely to result in a high risk to the rights and freedoms of individuals, you must inform those concerned directly without undue delay.
We can support and guide businesses through dealing with a data breach.
Subject access requests
Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is known as a subject access request. The request can be made either verbally or in writing including, increasingly, via social media.
We can help businesses across all sectors respond to subject access requests and the timeframes for dealing such with such requests are tight. You should respond without delay and within one month of receipt of the request.
We can help you with all data subject requests, simple or complex, including using exemptions where appropriate and redacting information before disclosure.