All organisations in the UK, regardless of their size or activities are subject to the UK GDPR when processing personal data: we provide a first-rate bespoke and tailored GDPR service to our clients, bringing detailed knowledge of a wide range of industries and sectors.
The General Data Protection Regulation (GDPR) came into force in the UK on the 25 May 2018. The GDPR was then implemented into national law by the Data Protection Act 2018 (DPA 2018). This legislation replaced the Data Protection Act 1998 and has been the biggest reform of data protection law in the UK in the past 20 years.
Since 1 January 2021, following the UK leaving the EU, the GDPR forms part of the EU law kept as UK domestic law. This “retained EU law version of the GDPR” is now referred to as the UK GDPR.
The UK GDPR provides an enhanced level of data protection which all organisations, irrespective of their size and activities, are required to comply with when they are involved in processing personal data. Failure to comply with the requirements of the UK GDPR may render an organisation liable to serious consequences – including substantial fines of up to £17.5 Million, or 4% of annual global turnover, whichever is greater. The Information Commissioner’s Office (ICO) is the UK regulator and has the power to make such fines in the event of non-compliance and reported data breaches. In addition, organisations may face reputational damage, loss of their client/customer base and claims by data subjects.
We aim to ensure our clients are not only UK and EU GDPR complaint, but also have a better understanding of their data processing activities and obligations.
Our GDPR services include data audits – tailored to each organisation’s size, activities and requirements – and a data mapping service – to map an organisation’s data processing activities in a simple, easy to follow and practical way.
Our GDPR specialists assist clients by drafting and advising upon a range of data protection compliant policies and procedures including:
- Website privacy policies, cookie policies and APP privacy policies;
- Privacy notices for businesses and commercial organisations, charities, professional bodies and membership organisations;
- Privacy notices and data protection documentation for an organisation’s employees, workers and contractors;
- Data protection policies, such as a privacy standard policy, data retention policy, data subject access request policy, records of processing activities and legitimate interest assessments and records;
- A review of processing of any sensitive data known as “special categories of data” and criminal conviction data; identifying conditions for processing such data and drafting of an appropriate policy document;
- A review of data protection clauses in commercial contracts, supplier contracts and sub-contractor contracts;
- Data processing agreements and data sharing agreements;
- Direct marketing consent notices;
- Data breach policies and data breach reporting and monitoring obligations and procedures; and
- Bring-your-own-device policies, IT/ data security policies.
We regularly advise clients in dealing with data breach incidents, including:
- notification obligations to the ICO and affected data subjects
- recording obligations
- remedying or mitigating the effects of the breach
- enabling mitigation by affected data subjects
- taking action against other parties responsible for the data breach
- dealing with potential claims by affected data subjects
- dealing with reputational issues
We advise clients upon international data transfers, including the drafting of standard contractual model clauses, international data transfer agreements, binding corporate rules and UK/US transfers.
We advise clients upon direct marketing activities in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR), to be further amended by the E-Privacy Regulations due to come into force.
We provide practical and pragmatic advice to assist clients with their GDPR compliance and value the long-term successful relationships we create with our clients.