GDPR (General Data Protection Regulations) is a new data protection reform established by the European Union. Our expert GDPR solicitors are here to provide you with all aspects of GDPR legal advice.
What can our GDPR Solicitors help with?
- Legal advice on what the GDPR means for your organisation
- Legal advice about GAP analysis, and your information audit
- Review GDPR compliance strategy , and data protection policies
- Legal advice about how long you should be retaining data
- Contracts between data controllers and processors – the new law provide that there must be a written contract between all controllers and third parties who process a controller’s data e.g. clients and accountants/pay roll providers/marketing agencies/IT providers/HR consultants
- Employment contracts – these will need updating and all employees/workers/contractors to be given a privacy notice setting out how data is processed
- HR advice linked to GDPR
- Preparation and review of Privacy notices – all data subjects whether customers, prospects or staff must be told what you will do with their data at the point of collection. We recommend most organisations will need an updated/legally compliant GDPR privacy notice in a prominent place on their website
- Updating terms and conditions
- Legal advice regarding notification and suspected breaches
- Legal advice surrounding Data Subject Access Requests – all individuals have the right to request all the data you hold on that individual. There are strict time limits to process these requests.
- Legal advice about the justification for processing data e.g. consent, or legal obligation
- Suggested wording to obtain compliant consent under GDPR
What should you be doing now to ensure GDPR compliance?
- Carry out an audit of the information you hold. Consider why and how long you hold this data. Implement a compliant data protection policy;
- Update privacy notice on website and for all staff;
- Review marketing processes and cleanse data where consent is needed;
- Update all contracts with third parties, and terms and conditions to ensure GDPR compliance;
- GDPR training/awareness for staff;
- Ongoing audits.
General Data Protection Regulation (GDPR) – the new data protection regime
Data protection obligations were set out in the Data protection Act (DPA 1998). At the time the data protection act introduced an extensive data protection regime by imposing broad obligations on those who collect personal data and by conferring broad rights on individuals about whom data is collected.
To adapt to modern technology, in April 2016, the European Parliament approved a general data protection reform package, and adopted the General Data Protection Regulation (GDPR) LINK.
In the UK, the GDPR is overseen by The Information Commissioners Office LINK (ICO) which is the independent public body responsible for upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The new data protection regime sets out a number of principles which data controllers must comply when processing personal data:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality.
Conditions for Processing
Processing personal data will be lawful only if, and to the extent that, at least one of the conditions in Article 6 of the GDPR is met. Those conditions (which are similar those under the DPA 1998) are that:The data subject has given consent to the processing of their personal data for one or more specific purposes. Consent has attracted a lot of publicity but the ICO warns that you should not rely on consent and look to other grounds first.
- The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of a data subject prior to entering into a contract
- The processing is necessary to comply with a legal obligation to which the controller is subject e.g. to HMRC
- The processing is necessary to protect the vital interests of the data subject or another person
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e)).
- The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests and fundamental rights and freedoms of the data subject which require protection of personal data, especially were the data subject is a child (Article 6(1)(f))
To protect your business from data protection penalties and fines, contact our GDPR solicitors today for expert GDPR legal advice