Data Protection Lawyers
Ensuring data is used properly and fairly
The protection of personal data should be a key consideration for your business. Failure to comply with data protection legislation could result in enormous fines and irreparable reputational damage. In the very worst circumstances, a data breach could jeopardise the future of your business operation.
Data protection law sets out what should be done to make sure everyone’s data is used properly and fairly. We have a team of data protection experts that can analyse your business processes to ensure you are fully compliant; helping you to minimise risk.
We also have experience of dealing with the Information Commissioner's Office (ICO) when there has been a complaint or an alleged data breach. Appropriate, swift action is crucial in light of a violation to curtail damage.
It is likely that you will require other advice when considering data protection. We are able to offer a holistic approach across all areas of commercial law, including contracts, intellectual property, disputes and franchising.
What is data protection?
Data protection is about protecting personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, and ensuring it is processed fairly. Personal data refers to information relating to a living individual where the individual is identifiable, either through the information on its own or together with other information held.
In the UK, data protection is governed by the UK GDPR (General Data Protection Regulation) and the DPA (Data Protection Act) 2018, which should be read together. All organisations in the UK that process personal data must comply with these laws or risk fines of up to £17.5 million or 4% of annual global turnover – whichever is greater and/or other potential sanctions.
Organisations that send electronic marketing messages, use website cookies, or provide electronic communications services to the public must also comply with PECR (Privacy and Electronic Communications Regulations).
The data protection legislation gives individuals rights as to how their personal data is used and puts rules and limitations on what companies can do with the personal data it holds.
Related experience
Compliance with data protection laws
Compliance with data protection laws is key, but not only because of the risk of financial and other consequences in the event of a breach - good data management saves your business time and also demonstrates to people that you care about treating their personal data with respect. People have never been so aware of how their data is used (and misused).
Data protection impact assessments
A data protection impact assessment (DPIA) is a process to help you identify and minimise the data protection risks of a specific project. This process must be carried out if an activity is likely to result in a high risk to individuals and their data - but it's good practice to do a DPIA for any project that involves the processing of personal data because it demonstrates accountability and increases the awareness of data protection issues within your organisation.
A DPIA should describe the nature, scope, context and purposes of the processing, as well as identifying measures to mitigate risks. An effective DPIA allows you to identify and fix problems at an early stage, bringing broader benefits for both individuals and your organisation.
We have good experience of helping businesses with the preparation of DPIAs.
Data sharing agreements
Whilst not mandatory, we encourage our clients to use data sharing agreements. These arrangements implemented between two controllers describe the purpose of the data sharing and explicitly set out what happens to the data at each stage.
Having a data sharing agreement in place helps you and your business demonstrate that you are mindful of the importance of protecting personal data. It's a way to help all parties involved understand their roles in the sharing of data - and the expected standards.
Data processing agreements
A data processing agreement, or a DPA, is an agreement between a data controller, such as a company, and a data processor, such as a third party service provider. Whenever a controller uses a processor, there must be a written contract in place. Similarly, if a processor uses another organisation (a sub-processor) to help it process personal data for a controller, it needs to have a written contract in place with that sub-processor.
Such contracts ensure that both parties understand their obligations, responsibilities and liabilities. The data protection laws set out mandatory clauses to be included in data processing agreements.
Policy documentation
We can provide invaluable guidance in either evaluating existing data protection policy documentation or drafting new documentation from scratch.
We can help with data protection policies, privacy notices, data retention policies and data breach policies.
Data breaches
A data breach occurs when a breach of security leads to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data. For example, this could include personal data being accessed by an unauthorised third party, data being sent to the wrong person or computers containing personal data being stolen.
Data breaches can lead to not only severe financial penalties, but also significant reputational damage. If your business loses trust, it can be very difficult to get it back.
When a data breach occurs, it’s vitally important you act swiftly and obtain legal and operational advice. You have to notify the ICO of a breach if it is likely to result in a risk to the rights and freedoms of individuals. Where this applies, you must report within 72 hours of becoming aware of the breach, where feasible. If a breach is likely to result in a high risk to the rights and freedoms of individuals, you must inform those concerned directly without undue delay.
We can support and guide businesses through dealing with a data breach.
Subject access requests
Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is known as a subject access request. The request can be made either verbally or in writing including, increasingly, via social media.
We can help businesses across all sectors respond to subject access requests and the timeframes for dealing such with such requests are tight. You should respond without delay and within one month of receipt of the request.
We can help you with all data subject requests, simple or complex, including using exemptions where appropriate and redacting information before disclosure.
Why choose us as your data protection solicitors
Data protection is a hugely important issue for businesses and should be treated as a priority. Getting it wrong can have catastrophic consequences, both financially and from a reputational perspective.
Working with the best data protection experts will ensure that you have taken every reasonable step to comply with the law.
We work for a broad range of businesses and sectors, right from small owner-managed operations through to large multi-nationals. As a skilled multi-disciplinary practice, we can call on our colleagues in other teams with complementary knowledge in areas such as commercial law and disputes, meaning you will only need to engage with one firm.
Meet the data protection team
Laura Pearson
Principal Associate - Commercial
