Our expert GDPR solicitors provide specialist legal advice and guidance on all areas and matters relating to GDPR and business data protection.
GDPR (General Data Protection Regulation) is the data protection reform introduced by the European Union in 2018. GDPR was enshrined into UK laws with the inception of the Data Protection Act 2018 and UK GDPR, which is still commonly referred to as GDPR. It is lauded as being the toughest data protection regulation in the World and for now, the UK continues to use this as it principle data protection law that businesses must adhere to.
The purpose of GDPR is to help better protect users’ data and more importantly give them more control over how much data they provide and how businesses may use their data. GDPR has aimed to consolidate privacy laws and maintain security of personal data.
Businesses are required to operate within these rules and regulations and ensure they are always compliant with the data protection legislation to avoid legal consequences which can be incredibly severe. Non-compliance of GDPR and other privacy laws in the UK could result in severe penalties and sanctions against your business.
What can our GDPR Solicitors help with?
- Legal advice on what the data protection legislation means for your organisation
- Legal advice about a gap analysis, and your information audit
- Review GDPR compliance strategy, and data protection policies
- Legal advice about how long you should be retaining data
- Contracts between data controllers and processors – the data protection legislation provides that there must be a written contract between all controllers and processors, co-processors and sub-processors e.g. clients, software providers, professional advisors such as accountants, pay roll providers, marketing agencies etc
- Employment contracts – these should have been updated and should reflect the new data protection legislation including GDPR, and all employees/workers/contractors to be given a privacy notice setting out how data is processed
- HR advice linked to GDPR
- Preparation and review of Privacy notices – all data subjects whether customers, prospects or staff must be told what you will do with their data at the point of collection. We recommend most organisations will need an updated/legally compliant GDPR privacy notice in a prominent place on their website and may need a companywide policy.
- Updating terms and conditions
- Legal advice regarding notification and suspected breaches
- Legal advice surrounding Data Subject Access Requests – all individuals have the right to request all the data you hold on that individual. There are strict time limits to process these requests.
- Legal advice about the justification for processing data e.g. consent, or legal obligation
- Suggested wording to obtain compliant consent under GDPR
How to ensure GDPR compliance
- Carry out an audit of the information you hold. Consider why and how long you hold this data. Implement a compliant data protection policy;
- Undertake a gap analysis to identify and assess areas of priority;
- Update privacy notice on website and for all staff;
- Analyse legal bases for collecting and using data;
- Undertake a risk assessment;
- If collecting sensitive or special category data, has this been adequately covered?;
- Review marketing processes and cleanse data;
- Update all contracts with third parties, and terms and conditions to ensure GDPR compliance;
- GDPR training/awareness for staff;
- Ongoing audits.
ICO (Information Commissioner’s Office)
In the UK, the data protection governing and regulatory body is the Information Commissioner’s Office (ICO), which is the independent public body responsible for upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The ICO are the organisations who enforce legal issues and consequences relating to breaches of the data protection legislation and ensure that businesses are compliant, as well as offering advice and solutions to help improve and meet these standards.
The ICO also has a useful checklist for businesses who need to understand what GDPR is and how it may affect their business.
The 7 Principles of GDPR
The new data protection regime sets out a number of principles which data controllers must comply when processing personal data:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality.
Conditions for Processing Data
Processing personal data will be lawful only if, and to the extent that, at least one of the conditions in Article 6 of the UK GDPR is met. You must have a valid lawful basis to process personal data within your organisation. These need to be identified from the outset and cannot be interchanged.
If your purposes change, you should consider whether you need a new lawful basis. Where any processing of personal data covers special category data or sensitive data, you need to identify both a lawful basis for general processing and an additional condition for processing these types of data.
Those conditions are:
- That the data subject has given clear consent to the processing of their personal data for one or more specific purposes. (Consent has attracted a lot of publicity, but the ICO warns that you should not rely on consent and look to other grounds first.)
- The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of a data subject prior to entering into a contract.
- The processing is necessary to comply with a legal obligation.
- The processing is necessary to protect the vital interests of the data subject or another person (vital interests are intended to cover only interests that are essential for someone’s life).
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority and the task or function has a clear basis in law.
- The processing is necessary for the purposes of your legitimate interests or the legitimate interests of a third party, except where such interests are overridden by the interests and fundamental rights and freedoms of the data subject which require protection of personal data, especially were the data subject is a child (Article 6(1)(f))
- To protect your business from data protection penalties and fines, contact our GDPR solicitors today for expert legal advice on all matters relating to data protection.
Expert GDPR Solicitors
Our team of specialist GDPR and data protection solicitors have extensive experience in successfully handling a number of cases in relation to GDPR and offer businesses across many different sectors the legal advice and guidance they need to ensure compliance.
Get in touch with a member of the team today to set up a free initial meeting to discuss your GDPR and business data needs and find out more about how we can help you and your business.