Data Protection & Privacy

“The team are very approachable and clearly have a detailed knowledge of the minefield of data protection law. Theirs is a high-quality practice with an agile way of working and an outstanding reputation in the market. They provide excellent value for money.”

Libby Bate, was Data Protection & Information Officer, Unison

How We Can Help

Your organisation’s data is an important asset. Understanding what you’re doing with the data you hold, what your data protection risks are and how you manage those risks is key. Failure to do this properly erodes trust and reputation, and carries a genuine threat of huge management costs backed by large fines, criminal offences and serious adverse PR. Take a look at how we can help you to put your best foot forward.

General data protection and privacy advice

If you need general legal advice on compliance with the GDPR, Data Protection Act 2018 and PECR, we can provide this in various ways:

CASE STUDY

“It is great to work with specialist data protection lawyers with many years of experience working in this area. There have been a lot of new advisors offering up advice in this area since the run-up to implementation of the GDPR. As a long-standing data protection specialist myself, I need to know that I am working with truly knowledgeable advisors. Stephanie and Ben clearly have a detailed understanding of the complexities of the GDPR and its crossover with the Data Protection Act 2018, as well as how to apply this new law in context with the ever-changing EU and UK regulatory guidance. They advise on how the law applies practically to our real-world scenarios and are responsive, clear and thorough in their explanations. I would be delighted to recommend them to anyone – Pritchetts Law is a great, cost-effective solution when I need an extra pair of hands.”

 

Tim Gough, was Data Protection Officer, Westfield Europe

+
-

Data Protection Fact Finder

Our Data Protection Fact Finder acts as a bit of a mini-audit. (We do the big ones, too – see Audits and gap analysis .) You fill in the Fact Finder, answering questions about what personal data you are collecting, where it comes from, what you are doing with it and what measures you have in place to manage it appropriately.

The Fact Finder gets you thinking, and helps us to identify where you need to focus your time and resources. Many clients then ask us to produce a report to set out the key outcomes. That creates a focussed list of actions to drive your data protection compliance programme – whether it’s updated policies and procedures , tailored training or training courses , agreements or specific tricky data protection questions .

Case Study

“We asked Pritchetts to help us with our GDPR compliance. To set the ball rolling, they helped us to complete a Data Protection Fact Finder, to best understand how we process personal data as a business as well as how we could ensure best practice. We provide our services to individual consumers and it was important to us to ensure that we developed a tailored and understandable customer-facing privacy statement – to protect us and more importantly those who visit our operations. We really enjoyed working with the Pritchetts team to help us to achieve that.”

 

Rob Cook, UK Operations Manager, Namco UK Ltd

+
-

Audits and gap analysis

We can perform a data protection compliance audit or gap analysis of your organisation’s data-processing activities. Whether you want your audit to focus on one or two central business functions, extend across the entire organisation or sit somewhere in between, we can help you.

We can tailor our audit approach to suit your time and budget.

Our typical approach involves two stages:

  1. Information gathering . We gather information by using tailored audit questionnaires, interviewing staff and reviewing current policies and procedures . Some clients ask us to carry out the interviews ourselves, which provides more independent scrutiny. Others, however, rely on their internal teams to complete the questionnaires and follow up with questions internally. The path that clients choose often comes down to time and budget.

  2. Reporting . After the information-gathering phase is complete, we analyse the material and then compile our report. Here, we set out your organisation’s compliance levels and recommend practical next steps to address areas of risk and best practice.

Often, audits identify that further work is required on an organisation’s compliance programme - rolling out training , drafting or upgrading policies and procedures , and getting contracts in place . We can help here, too, customising our input to suit you.

Case Study

“Ben and Stephanie have supported UPP and its complex network of group companies throughout our extensive GDPR compliance program. We have appreciated their ability to advise us on … creating bespoke policies and processes and [they have been] highly responsive to urgent business-critical issues. They have spent time getting to know our business properly, and provide thoughtful, practical business advice.”

Moji Fatoye, was Deputy Company Secretary, UPP Group

+
-

Accountability – compliance programmes

The GDPR is very clear that organisations have a core obligation to show how they are complying with the legislation – this is called the accountability principle. Organisations acting as controllers have this obligation directly, but any processor who wants to do business in the age of data protection will need to be able to show its customer how it will support its data protection compliance.

We can help you with your organisation’s compliance programme at whatever level you choose – it’s up to you. It may be that you know where your gaps are or a data protection audit has identified areas to focus on. Alternatively, you may simply need to make a fresh start.

We tend to find it helpful to collaborate with you to focus on what matters most to you. We often do this by following our Data Protection Fact Finder , or performing a detailed data protection audit. Our expert lawyers can draft new data protection policies, procedures and guidelines – or rework existing ones – to give you a compliance programme that is fit for purpose.

Of course, you’ll know that compiling a compliance programme isn’t a one-hit wonder; it needs regular review to ensure that it keeps pace with the dynamic nature of data protection regulations and guidance, and that it is working well in practice. Should you need it, we can help with these reviews.

The regulator is also very keen to see how you can demonstrate an understanding of your data protection compliance in practice – we can help you to plug any gaps in staff knowledge by offering in-house training tailored to your needs.

Case Study

“It is great to work with specialist data protection lawyers with many years of experience working in this area … [Pritchetts Law] advise on how the law applies practically to our real-world scenarios and are responsive, clear and thorough in their explanations. I would be delighted to recommend them to anyone.”

Tim Gough, was Data Protection Officer, Westfield Europe

+
-

Policies and procedures

Whether you’re a microenterprise, corporate giant, charity or public body, policies and procedures are a critical part of your business operations. They also play a crucial role in how organisations can demonstrate their accountability, a key element of the data protection legislation.

We can help by drafting bespoke data protection policies and procedures for you – or simply reviewing your existing ones in light of the changes to the law and guidance. Either way, we ensure that you end up with a suite of workable policies and procedures that reflect best practice and are tailored to your company’s requirements.

We have helped our clients with a huge range of policies and procedures. Some are aimed at individuals, such as privacy notices for websites, or for recruits or staff. Others are focussed on how you operate internally, such as your overall privacy framework, handling DSARs and other individual rights requests , managing personal data breaches , conducting DPIAs or appointing data processors . Click here to see the full range of policies, procedures and guidelines that we can help with.

If you need an extra pair of hands with getting your staff up to speed on the new documentation, we can help with that, too. We have bags of experience in delivering data protection training , which we can design around your current policies and procedures.

Case Study

“Ben and Stephanie have supported UPP and its complex network of group companies throughout our extensive GDPR compliance program. We have appreciated their ability to advise us on … creating bespoke policies and processes and [they have been] highly responsive to urgent business-critical issues. They have spent time getting to know our business properly, and provide thoughtful, practical business advice.”

Moji Fatoye, was Deputy Company Secretary, UPP Group

+
-

Breach-handling

So, the worst has happened … or at least, you think it might have. There’s been a data security breach and you need to act fast. Even if you already have some data security procedures in place (although if you don’t, we can help with that, too), you might need some extra help. And who better to ask than some calm, expert lawyers whose flexible working pattern means that they can respond quickly?

We can support you through the entire process . We can provide advice on your initial response internally, help you to assess and mitigate any risks, and assist with drafting any data breach reports to the ICO and other regulatory bodies. We can also help you to respond to any regulatory investigations that follow and minimise the risk of enforcement action.

Alternatively, you might not have experienced a data security breach yet, but you’re keen to future-proof your organisation . We have the know-how to help you draft data security procedures for breaches large and small.

Case Study

“The ICO have got back to us and have confirmed that no further investigation was required due to the prompt and appropriate remedial action that was taken. Their response vindicates all of the effort that was made internally and by you to deal with the incident. Many thanks for your help and advice during what was quite a stressful period.”

Managing Director at a UK national professional practice

+
-

Arrangements for processing or sharing personal data

Organisations must carry out comprehensive data-mapping and ensure that they understand where personal data is collected from, or shared with, those outside the organisation.

One of the outcomes of the GDPR has been an increased focus by data controllers on the arrangements in place with their processors or suppliers, and where they are sharing data with other controllers. Reviewing these arrangements is a critical business requirement.

Are you a data processor faced with reviewing and understanding the specific risks raised by these varying, non-standard terms? Many suppliers are facing a barrage of client demands to sign up to their clients’ data-processing/data-sharing agreements. You’ll want to balance your desire to bring new clients on board smoothly with your need to manage the risk involved.

Alternatively, maybe you’re a controller reviewing your current arrangements for processing/sharing data and trying to ensure that they meet the GDPR requirements.

Either way, we have considerable experience with these types of agreements. We can help you to review yours – or create them from scratch if necessary – and achieve GDPR-compliant agreements that work for your business.

We can also help you to create comprehensive yet efficient tools for completing and maintaining your data protection due diligence records when you are planning to share data with another organisation – or even within your organisation. We often prepare checklists and other recording tools to help with this.

Case Study

“The team at Pritchetts Law worked alongside our other specialist legal advisors to advise on our data-processing agreements with customers, our privacy notices and our patient-centric app. Pritchetts Law was great value for money, responsive and quick to identify issues. The team provided strong legal advice that was enhanced by solid regulatory understanding and how it applied in practice to our business.”

Jon Spinage, Director of Technology, Vitaccess

+
-

Marketing

From microenterprises to global multinationals and charities, organisations want to connect with potential and existing prospects and shout about their products or services. But who will you contact? How did you get their details? Have they consented to receiving your marketing material? If you can’t show that you have consent, are you sending it under another lawful basis?

If you’re using adtech , AI or machine learning – or other new technologies to reach your customers, or monetise your data – you’ll need to consider which data protection risks are key, and how to mitigate those risks.

We are experts in the field of data protection and direct marketing. We can help you to design marketing strategies and carry out advertising copy clearance to ensure that they comply with both the GDPR and e-privacy legislation such as PECR. We can also advise you on how best to utilise your customer databases without tripping over the hurdles of the complex legislation that governs these activities.

Alternatively, you may simply want a leg up to ensure that your staff know how to create marketing campaigns that comply with data protection law . We can design and deliver marketing-focused data protection training to a brief that we agree together.

Case Study

“[Pritchetts Law has] greatly assisted [us] in training key people and carrying out gap analysis in the area of data protection. [The firm has] taken great care in gaining knowledge of our company to ensure information and advice is relevant to our needs and we feel confident that any queries we have in this area will be dealt with professionally, concisely and efficiently, ensuring our company stays compliant.”

Helen Bolton, Facilities Manager, Ceuta Healthcare

+
-

Artificial intelligence and automated decision-making

This century, significant advances in computer power and the associated ability to generate mind-boggling quantities of data have led to a huge rise in the use of artificial intelligence (AI) and automated decision-making (ADM) techniques. They now form an essential element of the technology industry.

If you’ve got a new project coming up and you want to assess the data protection risks involved in the use of data processing that involves AI or ADM (including profiling), we can help.

Our team of expert lawyers can quickly identify the issues at stake, including:

  • Whether you have to complete a DPIA , and what it should cover.
  • Staying compliant with the ICO’s guidance on AI and data protection, and also accountability.
  • Ensuring that you understand the accountability and governance implications of AI and ADM.
  • Determining what you need to do to ensure lawfulness, fairness and transparency in AI and ADM systems (e.g. by establishing legal basis and ensuring that appropriate privacy notices are in place).
  • Ensuring that you assess security, data minimisation and accuracy in AI and ADM processes.
  • Ensuring that individual rights are upheld in your AI and ADM systems.
  • Considering how best to protect any vulnerable groups (including children).
  • Considering the use of anonymised and pseudonymised data in line with regulatory guidance.

Of course, it is important to regularly review the use of AI and ADM processes as a project’s nature, scope, context, purpose or level of risk changes, or as technology advances. We can help with existing and ongoing project reviews and compliance updates, too.

Case Study

“As a cutting-edge technology business delivering innovative recruitment solutions to our customers, we have complex data protection needs. Pritchetts provided us with invaluable assistance with our data protection impact assessments and contract arrangements. They helped us put our best foot forward to customers when we were under intense pressure to show that our data protection house was in order. We experienced excellent service throughout the project – Pritchetts were detail-oriented, technically strong and also pragmatic, all without the price tag of their big law firm competitors.”

Rob Garlick, was Finance Director, LaunchPad Recruits

+
-

Data protection impact assessments

So, you’ve got a new project coming up and you want to assess the data protection risks involved. Whether you’re performing a DPIA to meet legal requirements, or as a voluntary risk assessment tool, we can help.

Our team of expert lawyers can zero in quickly on whether you have to complete a DPIA, and what it should cover . We can help you to write a DPIA that comprehensively analyses the processing involved and identifies and minimises data protection risks. We can also advise on consulting with the ICO if necessary.

Of course, DPIAs need to be reviewed regularly as a project’s nature, scope, context, purpose or level of risk changes. We can help with that, too.

Case Study

“Pritchetts provided us with invaluable assistance with our data protection impact assessments … We experienced excellent service throughout the project – Pritchetts were detail-oriented, technically strong and also pragmatic, all without the price tag of their big law firm competitors.”

Rob Garlick, was Finance Director, LaunchPad Recruits

+
-

International data transfers

Are you a UK-based business that is subject to the GDPR and exploring how to transfer personal data to or from other countries? Maybe you’re a business operating outside the UK, and planning to engage with UK customers. Or perhaps you’re considering a new cloud IT service provider that will store or process your data outside the UK.

For these and many other scenarios, our specialist lawyers can assess where your business stands in terms of international data transfers . We have considerable expertise in advising on how to achieve compliant international data transfers by using a range of tools. These include standard contractual clauses, binding corporate rules, consent-based transfers, adequacy self-assessment and more.

Case Study

“Stephanie and her team bring genuine expertise to this extremely important and highly complex area of business operations that helps us perform successfully. They explain issues in a straightforward way and provide clear solutions.”

Quoted in The Legal 500 UK 2021

+
-

Privacy notices

To comply with the GDPR, businesses must be transparent about how they collect, store and process personal data about their customers, or staff. Providing a privacy notice (or you may call it a privacy policy or statement) that reassures customers about how you use their data and keep it secure is a clear route to achieving this aim.

So, whether you’re looking to update your existing privacy policy or create a brand-new one, we can help. First, we can assist you with identifying your processing activities . Then, we can help you to create a privacy notice that communicates this information to your customers and staff in a GDPR-compliant fashion.

Case Study

“We initially asked Pritchetts to upgrade our privacy policy and standard terms of service for GDPR. Since then, as our organisation has grown, we have involved Pritchetts in many of our new projects. We often require detailed data protection advice as well as assistance with contract negotiations, and we have really appreciated the breadth of expertise and commercial nous that the Pritchetts team provide.”

Craig Rigby-Wilson, Co-CEO, Link Maker Systems

+
-

DSARs and other individual rights requests

Your organisation may have put in place a comprehensive suite of GDPR-compliant policies and procedures, but it can be easy to overlook how to manage data subject access requests (DSARs) and other individual rights requests. This can be dangerous in today’s climate of greater data protection awareness, especially when coupled with the one-month time limit for your response.

If you’re receiving complex or large numbers of requests and there isn’t a suitable system for providing responses, it can really stretch your organisation’s internal processes. At the other end of the scale, if you’re a small business that has received a single request, you may be uncertain how to proceed. Whether the number of requests is large or small, add in the reduced turnaround times set by the GDPR and the fact that you can’t charge a fee any more (in most cases), and things can get pretty tense.

Why not let us share the load? Our solid background in data protection law means that we can help you to provide a swift response . Likewise, if you’ve received any complaints in relation to your data-processing activities, we can help there, too.

Then, when the dust has settled, if you need a hand with designing a policy on handling individual rights requests or with training your staff on how to respond, we can work with you to produce exactly what you’re after.

Case Study

“Data protection is a high-risk area in the modern business environment. Stephanie provides a service that combines extensive legal knowledge with concrete, pragmatic advice on how to deal with difficult situations. I have no reservations in recommending Stephanie to anyone with data protection issues. There is no one better on data protection law … Incredibly helpful to our organisation.”

David Ball, Vice Principal Corporate Services, Sir George Monoux College

+
-

Social media and adtech

Do you have a simple need to assess your organisation’s compliance when it hosts corporate social media accounts on platforms such as Twitter, LinkedIn, Facebook and Instagram? If so, we can help you to audit your interaction with those sites and update your privacy notices , cookie policy,  website terms and conditions and acceptable use policies.

Alternatively, you may have entered the complicated new world of adtech and other online advertising channels such as aggregators, in which case you may need to consider or mitigate your risks as you do so.

The Information Commissioner’s Office (ICO) has investigated and reported on data protection issues around real-time bidding (RTB), programmatic advertising and on the adtech industry generally.

Its commissioned research into online advertising found that, of 2,300 participants, 63% said they found it acceptable that ads funded free content. However, when researchers explained how RTB works, this fell to 36%.

The adtech industry is facing increasing scrutiny by European authorities. In 2019, the French data protection regulator fined Google €50 million (£45 million) for breaching EU online privacy rules. This related to Google’s lack of transparency and clarity about its handling of personal data and inadequate consent for personalised ads.

Ignoring compliance carries a genuine threat of huge management costs backed by large fines, criminal offences and serious adverse PR:

  • We can help if your organisation is involved in processing personal data in the adtech ecosystem and needs assistance to ensure that the correct compliance measures or contracts are in place.
     
  • In the ICO’s view, a data protection impact assessment ( DPIA ) is mandatory where personal data is processed for RTB, given the high risk to individuals. We can help you to put the right DPIA processes in place and we can also liaise with the regulator if required.
     
  • The ICO is concerned that:
    1. Privacy policies and information provided to users cannot ensure transparency and fair processing of data where adtech is involved.
    2. Ad profiles created about individuals can be detailed and shared repeatedly among hundreds of organisations for any one bid request, all without the individual’s knowledge.

    We can help to draft compliant privacy notices or associated documents including cookie policies, DPIAs and supplier due diligence checklists.

  • The ICO has also highlighted:

    1. The inconsistent application of measures to secure data in transit and at rest. The ICO is concerned that individuals have no guarantees about the security of their personal data within the adtech ecosystem.
    2. The likelihood of changes to data protection law concerning international transfers of personal data, and similar inconsistencies about applying data minimisation and retention controls.
       

    We can help you to audit and assess your compliance generally, or specifically by conducting DPIAs . Such processes can often reveal training requirements , a need to assess and document appropriate lawful bases relied upon within the RTB ecosystem, and a need to draft new policies and procedures , or simply tighten up existing ones.

  • Perhaps your data protection compliance queries concerning adtech or social media are more specific, relating to direct marketing , outsourcing to data processors , handling individual rights requests , ensuring the compliant use of surveillance and new technologies and more?

    Alternatively, you might be looking to untangle some data-processing and data-sharing arrangements between customers and adtech providers or aggregators. It’s certainly not always clear who is the processor or the controller, or whether everyone is a joint controller. We can help.
     
  • We can also help on the commercial side, putting adtech vendor arrangements in place to protect your organisation.
     
  • If you think your current processes need to be updated or reviewed to ensure compliance with data protection legislation, we can help draft new policies and procedures that reflect how you do business.
     
  • If something’s gone wrong and you’ve had a security breach , we can advise you on how best to handle it.
     
  • Given the regulatory spotlight on this area (the ICO is undertaking targeted information-gathering activities, engaging with stakeholders and cooperating with other data protection authorities), you may need assistance liaising with them and other regulators on data protection issues.

    Perhaps you’d like help to get their view on a tricky question where guidance is ambiguous, or where your DPIA has not completely reduced the data protection risks to your business. Alternatively, maybe the ICO has approached you more formally concerning information requests or complaints that it has received, and you’re unsure about next steps. We can help.

Case Study

“Stephanie and her team bring genuine expertise to this extremely important and highly complex area of business operations that helps us perform successfully. They explain issues in a straightforward way, and provide clear solutions.”

“Pritchetts Law LLP has always been incredibly reactive, professional and very helpful. Interactions have consistently been extremely well handled, professional, measured and on point. The service provided has always helped us solve issues we were having and they thoroughly answer any question we bring to them. When dealing with Pritchetts Law LLP, we get a very personalised service with great professionalism.”

Quoted in The Legal 500 UK 2021

+
-

Contact Us

Get in Touch

Pritchetts Law LLP
Hillside
35 Westbury Hill
Bristol
BS9 3AG
United Kingdom

+44 (0) 117 307 0266
info@pritchettslaw.com

Make an Enquiry

Please provide your details, and a brief summary of your enquiry, and one of our team will be in touch.

Pritchetts Law LLP is a Limited Liability Partnership registered in England and Wales (company no. OC413975) and authorised and regulated by the Solicitors Regulation Authority (SRA no. 647155). "Partner" refers to a member of Pritchetts Law LLP.
© Copyright 2021 Pritchetts Law LLPWeb Design By Toolkit Websites