We advise on data protection, freedom of information, confidentiality and privacy. We can help ensure sure your organisation will comply with the EU’s General Data Protection Regulation (GDPR) and Regulation on Privacy and Electronic Communications (PECR) and the Data Protection Act 2018.
How to comply with data protection requirements
There are likely to be key areas which if tackled first will greatly reduce the risk of non compliance. Our approach is based on assessing the greatest risks and targeting those, providing you with the documentation required to demonstrate compliance.
Privacy notices and privacy policies
All organisations use personal data and therefore almost all will need to display a privacy notice or policy which describes how personal data will be processed. Special category data requires particularly careful treatment.
What to do in the event of a breach
We defend organisations facing claims from individuals and investigations by the Information Commissioner’s Office (ICO).
We can help you with:
- Data processing and data sharing agreements
- Transferring data outside the European Economic Area (third country transfers)
- Data audit
- Data protection training
- Implementing data governance programmes
- Drafting data protection policies and privacy notices
- E-commerce and direct marketing requirements
- Subject access requests
- Preventing and managing data breaches
- Responding to the regulator.
Our GDPR experience includes:
- Auditing and advising a professional institution on GDPR compliance
- Advising online retailers on the changes required to their websites and behavioural marketing
- Providing documentation for charities on how to treat donors and supporters’ data
- Implementing website terms, booking processes and sales training to leisure and tourism businesses to ensure their data capture is compliant
- Advising housing associations and registered providers on the implementation of privacy by design measures.
Frequently Asked Questions
You will find answers to some of our most frequently asked questions below. We are confident you’ll find the information useful, and if you would like to know more or your question is not covered please contact us.
They are the core rules set out data protection legislation for the handling of personal data. There are the foundation of good data protection practice and should form the basis of your processing at all levels of your organisation, including your policies, procedures, deployment of systems and employee training. Non-compliance can lead to significant penalties.
A Subject Access Request (SAR) is a right of access to an individual’s own personal data, as well as other supplementary information about how your organisation processes that personal data. A SAR is distinct from a Freedom of Information Act Request which is for information held by a public authority.
A data protection impact assessment (DPIA) is one part of your compliance framework to meet your data protection obligations. It’s a legal document which provides an assessment of the impact of the envisaged processing operations on the protection of personal data. It must be completed before you process personal data if that processing is likely to result in a high risk to the rights and freedoms of individuals.
A DPIA should not be treated as a tick-box exercise. It’s not just a document to draft and file away; it’s a living process that must align with your actual data processing activities and inform decision making throughout the lifecycle of a project/processing activity.
In the UK, data protection is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
A complaint to the Information Commissioner’s Office (ICO) can relate to any issue around personal data. Made by a data subject, the ICO will review their complaint and evidence and will usually require a response from you within 21 days. It’s imperative to provide a detailed response and to reflect upon your handling of the complainant’s personal data. You should ensure to request a copy of the evidence sent by the complainant or you will be at a disadvantage when you respond.
When you receive SARs or complaints you should action them swiftly and seek expert legal advice on complex issues. Ensure you have a procedure governing responses (which is regularly reviewed) and do not assume that apologising or paying a sum of money to the data subject will resolve the issue. You run the risk of prejudicing your position and receiving claims from other data subjects. This could be disastrous to your organisation.
We can advise as to whether any settlement is appropriate in the circumstances and ensure all the loose ends are tied up so there’s no comeback down the line.
Everyone in an organisation responsible for processing personal data (which includes storing it) has to follow strict legal rules. Senior management and Data Protection Officers are responsible for managing data-related risks promptly. However, overall accountability lies with your organisation.
A data protection officer (DPO) is a legal requirement if you are a public authority/body or if you carry out certain types of processing activities (such as online behaviour tracking or large scale processing of special categories of data e.g. health data).
A DPO assists you to monitor internal compliance, inform and advise on your data protection obligations, advises on DPIAs and act as a contact pint for data subjects and the ICO.
The Court rules set out strict deadlines for responding to a claim at each stage of proceedings so you should seek urgent legal advice if you receive a letter of claim. There are several ways forward – do not automatically assume that the person making the claim knows what they are doing or that they have valid grounds to sue. In England and Wales, it’s possible to bring a claim against another party where there are no valid grounds.
You often have one chance at defending a claim and instructing a solicitor gives you the best chance of framing your defence in the strongest way. Tozers are experts in dispute resolution and, wherever possible, the focus will be on dealing with the claim most cost-effectively. Most cases are resolved without setting foot in Court.
Understanding your legal obligations under data protection law is only the starting point. These obligations must actively inform and shape your processing activities, not to be fitted around them. Compliance should permeate every level of your organisation and you should be open and transparent to your customers about your processing of their data.
You should ensure to carry out regular risk assessments, ensure you respond to the identified risks by implementing security measures, and train your employees.