Data Protection & Privacy

Data protection is an area of increasing importance in the new technological age and is a rapidly developing area of law. It has been repeatedly plunged into the media spotlight over recent years as organisations have faced difficulties in trying to achieve compliance.

Until 25 May 2018, the UK Information Commissioner had the power to fine organisations a maximum of £500,000 and carry out dawn raids on public sector organisations (powers to carry out dawn raids on private sector organisations are expected to come soon). Data protection has evolved from a “nice-to-have” to a “must-have”. Ignoring data protection issues carries a genuine threat of large fines, criminal offences and serious adverse PR.

The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and increased the level of fines further. Organisations can be fined up to 4 per cent of their annual worldwide turnover or €20 million, whichever is the greater.

How we can help

Matters relating to data protection and privacy law that we can assist you with may include:

  • Data protection compliance audits, data protection impact assessments (DPIAs) and compliance implementation plans. We can carry out detailed company-wide assessments or DPIAs of an organisation’s data-processing activities. These are usually carried out by designing relevant questionnaires; interviewing staff; reviewing current policies and procedures; and compiling reports setting out compliance levels and recommendations on practical steps that are needed to address areas of risk and best practice.
  • Compliant data transfer inside and outside the European Economic Area (EEA). We can advise on how to transfer information internationally by using, for example, the European standard contractual clauses, binding corporate rules, consent-based transfers or adequacy self-assessment or how to transfer data in a compliant way to the USA.
  • Data retention audits and policies. We can carry out company-wide assessments of an organisation’s data retention needs by designing retention questionnaires; interviewing staff; reviewing current policies and procedures; and compiling compliance reports. We can also draft data retention schedules to help ensure ongoing compliance on a practical level.
  • Compliant e-privacy and direct marketing campaigns. We can advise on how best to exploit your customer databases without breaching the raft of complex legislation (including the Data Protection Act and the Privacy & Electronic Communications Regulations) that governs these activities.
  • Fair collection statements, website privacy policies and health checks. We can draft or review fair-processing information/data collection statements and privacy policies, as well as reviewing data collection forms and methods of obtaining compliant opt-in and opt-out consents.
  • Data breach management. We can:
    • Assist with regulatory investigations by the UK Information Commissioner and other regulatory bodies (such as the Financial Conduct Authority (FCA), the Charity Commission and Ofsted) concerning data protection and data security breaches and minimise the risk of enforcement action.
    • Advise on data protection breach management generally, including drafting data breach reports and submissions to the Information Commissioner’s Office (ICO) and others.
  • Data protection policies, handbooks and employment documentation. We can draft and review data protection policies and procedures to ensure compliance with the legislation and best practice where appropriate.
  • Data-processing agreements. Where you are a data controller in relation to personal data held and you decide to appoint a data processor to carry out certain business functions for you (for example, payroll activities, contractors, call centres, mailing houses, debt collectors, etc.), you are required by law to have a written agreement in place with that processor. This agreement should set out certain key provisions. We can assist in drafting stand-alone agreements, clauses for insertion into your main agreement or side letters where existing contractual arrangements are already in place.
  • Handling of subject access requests (SARs) and complaints. We can assist with the handling of SARs and complaints in relation to data-processing activities.
  • Data protection and information security. We can advise on issues related to information security from a non-technical IT perspective, particularly in the context of new technologies and ways of working, such as cloud computing and bring your own device (BYOD) systems.
  • Changes required by the GDPR. We can advise on the changes involved in the GDPR and carry out a gap analysis for organisations that want to understand how well they meet the new compliance measures that are required under the GDPR.
  • Data protection helpline. We are happy to discuss provision of a fixed-cost data protection helpline service to assist you with your day-to-day data protection queries.
  • Training on data protection law.
  • Advice on all other data protection projects and matters including:
    • Advising on data protection issues associated with any new business projects.
    • Procurement of systems that are compliant with data protection legislation.
    • Participating in or engaging with big data and data analytics projects.
    • Carrying out PIAs.
    • Advising on data protection issues in contracts and in corporate transactions.
For more information about our experience in these areas of law, please go to Our Experience.

Otherwise, please Contact Us to discuss your legal or consultancy requirements in more detail.
© Copyright 2020 Pritchetts Law LLPWeb Design By Toolkit Websites