It is vitally important that companies do all they can to work towards GDPR compliance. You should be thinking continuously about the ways in which your business processes personal data and adapting as your processes change over time.
We understand how daunting and time consuming this can be, and we are here to help. The experienced GDPR Lawyers on the Data Protection and Privacy Law team at Lupton Fawcett will work with you to ensure you know what your rights and responsibilities are, prepare all the necessary documentation and advise you in the event of investigations.
No matter what stage your business is at with GDPR compliance, or what size and type your business is, our experienced data protection team will provide tailored, jargon free advice to get you where you need to be.
The General Data Protection Regulations
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), have been in force for a number of years now, and the provisions for the post-Brexit GDPR implementation have been set out, which effectively mean that the UK will maintain the standards set by the GDPR.
The GDPR applies to “controllers and processors”. The controller is the person who determines the purpose, and the manner in which personal data is processed. The processor acts on the controller’s behalf.
The GDPR applies to “personal data” but the definition is more expansive to reflect changes in technology and how information on people is collected.
Personal data such as HR records, customer lists or contact details are all covered by the GDPR. The GDPR applies to both automated personal data and certain manual filing systems.
The risks of not complying can potentially be quite serious – a breach of the GDPR could carry a fine of up to €20 million or 4% of your company’s annual worldwide group turnover, and may also be a criminal offence under the DPA. The regulator in the UK is the Information Commissioner’s Office (ICO).
It is therefore imperative that businesses do all they can in order to work towards GDPR compliance.
Here at Lupton Fawcett our team of specialist Data and Privacy lawyers have a wealth of experience and can help you in any way you need, including:
Data Processing Audits
Conducting data processing audits to help you identify your data processes, compliance, and policies, and their strengths and weaknesses, with specific focus on HR and Employee data.
Providing guidance reports on recommended actions you can take to improve your compliance with the GDPR.
Privacy Notices, Forms and Policies
Drafting and reviewing relevant documents for your business, including privacy notices, data protection policies, consent forms and data processing agreements.
Permitted Use of Personal Data
Advising on permitted uses of personal data, including how you collect, store, market and transfer that information.
Negotiating appropriate contractual terms with other data processors and controllers.
Personal Data Breaches
Assisting and advising on appropriate action in the event of a personal data breach.
Advising and representing you in respect of regulatory investigations and court hearings.
Data Subject Access Requests
Assisting and advising you in the event you receive a data subject access request including providing a review and redaction service
Providing flexible and tailored training courses for your staff to help them understand the issues and steps they need to be aware of in ensuring compliance with the likes of GDPR, PECR, NIS and FOIA.
Am I processing personal data?
A key question, and one which can often be underestimated, is to ask whether your business is processing personal data. Personal data means any information that relates to a living person and can be used to identify that person, either directly or indirectly. This can therefore include obvious things like a name and email address, but could also include more subtle pieces of information such as an IP address which, when combined with other available information could be used to identify a person.
The idea of processing is also one which can be misunderstood, and it is a very broad concept. In effect, processing means any action performed on personal data. This can include obvious actions where personal data are actively analysed by a business, but it also includes other much more incidental actions. For example, storing personal data on your systems, collecting data on behalf of another party, or transmitting data to another party will all count as processing.
There are some exceptions, but generally, if you can identify personal data within your business, the likelihood is that your business is processing personal data. The more detailed the data and the more complex or large-scale your processing, the greater your obligations will be. These obligations also apply even if you are processing data on behalf of another organisation.
What do I need to do?
Whilst compliance can seem daunting, there are some key principles that underpin the GDPR and the rest of the data protection legislation, and it can be helpful to keep these in mind when running your business.
One of the main aims of the GDPR is to ensure that people are more informed about how their personal data are being processed and that they have the opportunity to control what happens with their data. Processing should be lawful, fair, transparent, and for legitimate purposes. This does not always require consent if there is another necessary and legitimate reason. In addition, personal data should be kept secure. Your business should only process personal data when it needs to and should do so with these principles in mind.
In practice, what this means is that you should clearly inform individuals about how, why, and when your business will process their personal data, as well as what they are entitled to do about it. A good way to do this is with a carefully constructed privacy notice. If necessary, you should seek consent. It is important for you to continuously think about the ways in which your business processes personal data as an ongoing consideration, especially if your processes change. It is important to be aware of how and when to conduct data protection impact assessments as a useful (and sometimes required) tool in demonstrating these considerations.
You may also consider appointing a data protection officer to manage your compliance obligations on a day-to-day basis. Some businesses will be required to do this by law.
If you are unsure what personal data your business is processing, or whether it is doing so in ways which are compliant with the GDPR and the DPA, you may wish to conduct a data processing audit to help highlight areas that may need addressing and get a clearer picture about your rights and responsibilities.
Data Subject Rights
Data subjects have several rights under the data protection legislation, including amongst others:
- a right of access to their personal data (also known as a Subject Access Request or SAR);
- a right of erasure of their personal data (also known as the “right to be forgotten”); and
- a right of rectification of errors.
Your business may receive a request from a data subject asking you to provide, delete, or correct their personal data that you hold. These requests can be confusingly and clumsily made, and may not always be easy to respond to. The timescales can be quite short and so prompt action may be needed. Under the GDPR, a request has to be responded to “without undue delay and in any event within one month of receipt of the request”. Our experienced lawyers can help you to identify what information you can and should provide, and will advise you on what actions you can take in response to these requests.
You may also receive a request for information under the Freedom of Information Act if you are working in or for the public sector. This is a separate regime and process to a SAR and different rules apply as to what can and cannot be disclosed. Our solicitors can advise you on the appropriate action if you receive a request for information under FOIA.
GDPR Compliance Training
Our team of specialist GDPR lawyers offer a variety of training days to suit your needs. We host half day training sessions on:
- Introduction to GDPR, PECR and NIS;
- How to Manage Subject Access Requests and Freedom of Information Requests;
- An Introduction to Network and Information Systems (NIS); and
- An Overview of PECR and Cookies.
Please visit our events page for details of our training sessions and upcoming dates. We are also available to host our training sessions in-house for groups of your employees at a venue that suits you. Please contact any member of the Data and Privacy Law team to discuss further.
Contact us for help
We have experienced Data Protection Solicitors ready to answer your enquiries about any data protection law issues via email or telephone.
We provide a personalised service, with sector specialists and extensive resources to ensure we are giving you the best solutions to your problems.
Within every area of law, we put your interests first.
Our specialist GDPR Lawyers work regularly with clients across the United Kingdom including Bradford, Birmingham, Hull, Leeds, Liverpool, London, Manchester, Sheffield, York and Nottingham.
We can support your needs wherever you live in England, Wales, Northern Ireland and Ireland.
We will always respond promptly, and we will be happy to help.