Getting the correct advice about the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 is vital for your business. Our data protection solicitors are experts at advising businesses on GDPR compliance and how to deal with the ICO, the UK data protection regulator.
Knowing exactly what you need to do to be GDPR compliant can be daunting. Our specialist data protection lawyers will work closely with you to understand your business and provide advice tailored to your current commercial situation and future strategic goals.
Our team’s deep data protection knowledge has developed over years of work in this complex and intricate area of law. This means that we can support in-house counsel or data protection officers, either as a “sounding board” or as specialist advisors.
The GDPR is EU legislation and applies throughout the EEA but can also apply to non-EEA organisations too. We therefore advise UK, EU, and international businesses about data protection and GDPR compliance.
If you’re based outside the EU, we can advise whether you are affected by GDPR and, if so, explain the extent of your compliance obligations. We’ve worked with a number of overseas businesses - particularly in the US - on GDPR issues and can bring that knowledge and experience to your organisation.
Our lawyers can help you with all aspects of GDPR and data protection compliance. We can take you through the initial steps of compliance by carrying out a GDPR Audit to assess where you currently stand. We can then advise on a compliance strategy and the policies and procedures that you will need to put in place to evidence your compliance.
We also advise businesses on day to day issues such as managing subject access requests (SAR/DSAR) and Data Breaches, and how to enter into GDPR-compliant contracts.
We’re also on hand to help if you face complaints from individuals to the Information Commissioner’s Office (ICO) or if you’re the subject of an ICO investigation. In those situations it’s crucial that you have experienced advisors who understand how to handle the issues you’re facing. We have the specialist knowledge and experience you need .
Contact our team on 0808 271 2602 to learn more about how our lawyers can help your business manage its data protection responsibilities.
What Is The GDPR?
The GDPR and the Data Protection Act 2018 control how organisations collect, use and store people’s personal information.
The GDPR applies to businesses operating in the European Economic Area (EEA). It also applies businesses outside the EEA which offer goods or services to people based in the EEA, or monitor their behaviour. It can therefore apply to US businesses or businesses in other countries outside the EEA - we can guide you through whether it applies to you.
In the UK, the Information Commissioner’s Office (ICO) is the regulatory body that enforces GDPR compliance. They have the power to audit compliance, issue enforcement notices and issue large fines if you don’t comply. Fines can total up to up to €20m or 4% of the total worldwide annual turnover of the previous financial year, whichever is higher.
Although the GDPR is European Union legislation, it still applies to UK businesses post-Brexit.
Businesses need to follow the seven principles of the GDPR:
- Lawfulness, fairness and transparency – You must collect, use and store personal data legally and fairly and publish a privacy notice so people are clear about how you use their data. We can help you draft a privacy notice that satisfies this transparency requirement while protecting your business interests.
- Purpose limitations – You must only use data as described in your privacy notice, or for new purposes that are compatible with the original privacy notice. If you’d like to change how you use your data, we can advise on the best way forward.
- Data minimisation – You must only collect and store data that’s relevant and necessary for the purposes set out in your privacy notice.
- Accuracy - You must ensure that data is correct when you collect it and kept up-to-date during storage. You must update or delete any incorrect out-of-date data.
- Storage limitation – You should only keep data as long as necessary for the purposes listed in the privacy notice, and securely destroyed once it’s no longer needed. We can help you draft a retention policy that sets out how long your business should keep each stream of personal data it collects.
- Integrity and confidentiality – You must store data confidentially securely. We’ll help you assess an appropriate level of security for the different types of data you hold based on the potential harm if there was a breach.
- Accountability – You must document how you comply with the other six principles through policies and procedures.
What GDPR Issues Could I Face?
Understanding the complexities of the GDPR can be difficult and many businesses think it only covers personal information relating to their staff. Data protection also includes your customers’ and suppliers’ personal data and any data you are storing or managing for a third party.
We advise businesses on:
- Data Audit – we can assess your current compliance with GDPR and advise where there are gaps and what you need to do to fix them
- Data Asset Register – we can help you put together the register of how you use personal data as required by GDPR
- Data Protection Policies and Procedures – Under GDPR you need to be able to demonstrate to the ICO that you are complying with it. This is usually done via having policies and procedures. We can advise on what policies are procedures you need, tailored to your business needs.
- How to handle subject access requests (SAR / DSAR) – These can be expensive and time consuming to deal with, particularly if you don’t have the experience of knowing which requests you need to comply with, how much data to release, and when exemptions apply. We have the experience and expertise to help you through this complex area.
- Individuals’ data rights – The GDPR gives individuals greater rights to control their personal data but there are still limitations. We can help you understand exactly how these rights affect your business. You’ll learn which requests are valid , and which aren’t, so you can keep all the data you’re entitled to keep.
- Dealing with data breaches, including reports to the ICO – You must notify the ICO of certain data breaches. We’ll help you understand which data breaches you need to report and which you don’t, how to report breaches, and advise on a range of related issues. How to market in a compliant way – direct marketing can be a minefield. We’re experts at advising on both GDPR and the additional rules that apply to electronic marketing, the Privacy and Electronic Communications Regulations (PECR). Our lawyers are experts in this particularly complex area of law that sees severe fines for noncompliance, and potential fines for directors.
- Handing complaints from individuals and regulators – Our specialist team is experienced in advising on dealing with complaints made to the ICO and ICO investigations. We’ll advise on the best strategy to sensitively handle complaints and minimize disruption for your business.
- Moving data out of the EEA – This is increasingly relevant for businesses using outsourced IT, HR, and marketing services. We’ll help you ensure that these operations are compliant.
- Sharing data with other businesses – We can draft GDPR-compliant contracts with clauses to control how contractors use personal data and protect your business in the case of a data breach
If your business doesn’t comply with GDPR, it could face fines of up to €20m or 4% of your worldwide annual turnover (whichever is higher). Individuals can also bring claims against you if you misuse their personal data which can lead to you paying damages.
Data breaches can also cause serious reputational damage to your business. Get data protection right, however, and you can build trust in your customer base that can become a real selling point.
Why Choose Irwin Mitchell?
Our data protection solicitors work with businesses of all sizes and across all sectors in the UK and abroad. We have over 20 years’ experience with data protection compliance and helping businesses with ICO investigations.
We’ll explain how data protection laws affect your business and help you stay up-to-date with regulatory changes to reduce the risk of claims or investigations. As we get to know your business, we’ll build a lasting collaborative relationship with your team.
Our offices are situated across the UK so we can help you wherever you’re based. If you’re doing business with overseas companies, we have strong connections with experts abroad so we can advise on cross-border situations.
You’ll also benefit from our wide-ranging expertise from our other legal teams. Our commercial solicitors can help draft contracts with data protection clauses and our commercial disputes and litigation team can advise on any breaches of contract or damages claims that may arise from data breaches.