From our data protection team, you will receive expert legal advice in an area of law which is becoming increasingly demanding and complex as each year passes since the advent of the General Data Protection Regulation (GDPR) coming into force in May 2018 (now the UK GDPR since leaving the EU). We act for commercial organisations, sole practitioners and owner-managed companies, as well as not-for-profit and educational establishments.
Registration with the ICO (Information Commissioner’s Office)
The experience and skill of our commercial solicitors is second to none. Whether you intend to acquire a business, or require a keen eye to review / explain the terms of a commercial contract, or even someone to draft you a partnership agreement – we can assist you. Our advisors will not just guide you but will ensure you fully understand the risks involved and will assist with strategic planning when contemplating a commercial transaction to protect your investment.
Data Protection Audits / GDPR Gap Analysis
We have a dedicated team which works on data protection audits throughout the year and which can help you identify any shortcomings in data protection compliance. This will help keep your data secure, as well as ensuring that, in the event of an investigation by the ICO (usually following a complaint or as a result of a data breach which your organisation may be duty bound to report to the ICO). We often find when undertaking such audits for clients that either the required policy documentation is missing, inadequate, out of date or plain wrong. The risk to an organisation’s reputation, particularly in relation to a data breach or in the publication by the ICO of any investigation it might carry out against the business or organisation in question, where sanctions are issued, is something which should not be underestimated. Please contact us if you would like to learn more about our fixed fee offering for audits or view more information about it here.
Direct Marketing and Use of Personal Data
The interaction between data protection law and that in relation to e-Privacy and use of personal data in marketing campaigns has become increasingly of importance and complex since the advent of the GDPR. It is important to understand when mailshots can and cannot be sent to data subjects, whether as part of an organisation or on an individual basis, whether to a personal email address or when the recipient has their own business email address. Failure to get this right can result in complaints to the ICO, which can lead to an unwanted investigation and may result in the unearthing of unrelated compliance breaches which will then need to be dealt with.
International Data Transfers
Any data which is processed by a third party outside of the United Kingdom will amount to an international data transfer. Any transfer of data which is to a country which is outside of the EEA (European Economic Area) will require the use of standard contractual clauses in any data processing or data sharing agreement governing the use of that data between the parties, unless the parties can rely on a different exemption under the GDPR. Because of the UK’s departure from the EU, the standard contractual clauses approved by the European Commission in June 2021 cannot be used by UK-based parties and the previous version of these clauses (some of which are more than ten years old) and which are less sophisticated must be used until the Information Commissioner’s office has approved new versions. This has now happened on 21 March 2022, when Parliament approved the ICO’s International Data Transfer Agreement (or IDTA) and its associated Addendum (the latter to be used with the EU standard contractual clauses). Ensuring that your contracts governing this process are in the correct form is not a straightforward process, on which professional advice should be sought, as failure to implement correctly can result in sanctions by the ICO (see below).
Data Security & Data Breaches
Ensuring that any personal data you host or hold is secure and inaccessible by third parties, accidentally or otherwise, is key in order to protect your data subjects’ data, whether they be customers or employees. In the unfortunate event of a data breach, notifying the ICO and affected data subjects as quickly as possible is essential to minimise the damage caused to them in terms of what can happen if their personal data ends up in the hands of a wrongdoer (e.g. identity theft, misuse of credit card data and so forth). Dealing with a data breach correctly and expeditiously is also essential to maintaining your organisation’s reputation, given data breaches can end up coming to the attention of the media, resulting in unwelcome publicity and a large expense in terms of time and data security, dealing with complaints and possibly claims from data subjects and IT specialists in hardening access to your systems. The UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements.
Records Management and Retention
Holding on to personal data for longer than is necessary is a breach of the UK GDPR. On the other hand, a business needs to balance that against what information it might need to hold on to in the future in the event of an enquiry by a regulatory authority or data subject (e.g. a customer), such as the ICO or HMRC (for instance, in a tax enquiry, HMRC can look back at records as old as six years). Accordingly, as long as a data controller can justify why it is holding on to personal data for a particular length of time, there should be no issue. The best way of doing this is via a records retention policy (also known as a records management policy), to which will be attached a detailed schedule dealing with all the different categories of records which the controller is holding, for how long and the reason for doing so. We can assist with the preparation of such a document and its schedule, where this is needed.
People who are being recorded by CCTV need to be told in a clear manner that that is the case. This is because CCTV camera footage can identify a living individual, which would constitute the collection of personal data. Posting a notice can be adequate for the purpose of drawing this to people’s attention, but it is always better to put a CCTV Policy in place where there is a relationship already with the people likely to be recorded, such as employees or contractors. Control as to who has access to the camera footage also needs to be considered and limited. Footage should be kept for only as long as is necessary. Finally, before setting up CCTV, a DPIA (data protection impact assessment) should be completed to help organisations identify and minimise risks that result from data processing activities that are ‘likely to result in a high risk’ to the rights and freedoms of individuals.
If you need any further help with a data protection matter, please fill in the form to request a call back or phone us directly on 020 3588 3500.