The General Data Protection Regulation (GDPR) came into force in the UK on the 25 May 2018. The GDPR was then implemented into national law by the Data Protection Act 2018 (DPA 2018). This legislation replaced the Data Protection Act 1998 and has been the biggest reform of data protection law in the UK in the past 20 years.
Since 1 January 2020, following the UK leaving the EU, the GDPR forms part of the EU law kept as UK domestic law. This “retained EU law version of the GDPR” is now referred to as the UK GDPR.
The UK GDPR provides an enhanced level of data protection which all organisations irrespective of their size and activities are required to comply with when they are involved in processing personal data. Failure to comply with the requirements of the UK GDPR may render an organisation liable to serious consequences – including substantial fines of up to £17.5 Million or 4% of annual global turnover, whichever is greater. The Information Commissioner’s Office (ICO) is the UK regulator and has the power to make such fines in the event of non-compliance and reported data breaches. In addition, organisations may face reputational damage, loss of their client/customer base and claims by data subjects.
Our GDPR team at Payne Hicks Beach focuses on keeping data protection matters simple and getting quickly to the heart of the issues at hand when providing data protection related advice and services. We aim to ensure our clients are not only UK and EU GDPR complaint, but also have a better understanding of their data processing activities and obligations.
We provide a first-rate bespoke and tailored GDPR service to our clients and have detailed knowledge of a wide range of industries and sectors.
Our GDPR services include data audits – tailored to each organisations’ size, activities and requirements – and a data mapping service – to map an organisations data processing activities in a simple, easy to follow and practical way.
Our GDPR specialists’ assist clients by drafting and advising upon a range of data protection compliant policies and procedures including:
- Website privacy policies, cookie policies and APP privacy policies;
- Privacy notices for businesses and commercial organisations, charities, professional bodies and membership organisations;
- Privacy notices and data protection documentation for an organisations employees, workers and contractors;
- Data protection policies, such as a privacy standard policy, data retention policy, data subject access request policy, records of processing activities and legitimate interest assessments and records;
- A review of processing of any sensitive data known as “special categories of data” and criminal conviction data, identifying conditions for processing such data and drafting of an appropriate policy document;
- A review of data protection clauses in commercial contracts, supplier contracts and sub-contractor contracts;
- Data processing agreements and data sharing agreements;
- Direct marketing consent notices;
- Data breach policies and data breach reporting and monitoring obligations and procedures; and
- Bring your own device policies, IT/ data security policies.
We regularly advice clients in dealing with data breach incidents – including notification obligations to the ICO and affected data subjects, recording obligations, remedying or mitigating the effects of the breach, enabling mitigation by affected data subjects, taking action against other parties responsible for the data breach, dealing with potential claims by affected data subjects and dealing with reputational issues.
We advise clients upon international data transfers to include, the drafting of standard contractual model clauses, binding corporate rules and UK/US transfers.
We advise clients upon direct marketing activities in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR) to be further amended by the E-Privacy Regulations due to come into force.
We assist clients with their GDPR journey and value the long-term successful relationships we create with our clients.