GDPR and Data Protection Solicitors
Legal Advice on GDPR and data protection issues – London & UK
GDPR and Data Protection Solicitors
Every organisation will store information stored about their employees which must be managed and stored securely to ensure compliance with data protection laws. Privacy laws have changed hugely in the last 10 years to cater for an ever-growing need for information to be kept secure. Data protection compliance is essential if you are running a business of any size.
A breach of the GDPR can incur a massive fine which could seriously affect your business. There has been a large increase in proposed fines for data privacy violations (in the UK and across Europe), including for British Airways and the Marriott Group. There has also been a number of prosecutions of those who have infringed the rights of employees, customers and other individuals.
Our GDPR and data protection solicitors can provide you with the help that you need to navigate this complex area of the law. Whether you need advice on data breaches or handling overseas data transfers, we have the experience that you need to help you with your data protection issues.
Our data protection solicitors have experience with working in a variety of industry sectors for both startups and multinational organisations. From entertainment and hospitality to healthcare and media, we have worked successfully with a range of clients to find solutions to their GDPR and data issues.
Data Protection Lawyers - Our services
Our data protection team advise businesses and individuals on a wide range of data protection and GDPR issues including:
- Handling data subject access requests (SAR/DSAR). This may involve using an end to end eDiscovery tool, as required
- Handling and reporting data privacy breaches
- Challenges made to the Information Commissioner’s Office (ICO) by employees and other data subjects
- Employee monitoring and surveillance of staff, both physically on site and online
- Employee screening and background checks (including criminal records checks)
- Drafting and reviewing data protection documentation
- Data Protection Impact Assessments (DPIAs) for high risk processing
- Overseas data transfers (both outside the UK and the EEA)
- Data protection obligations under the GDPR
- Data Audits – audits often include mapping personal data you process, assessing possible risks and exposure and contingency plans to minimise the risks
- Data retention and the destruction of records
- Handling complaints from individuals and regulators
- Marketing – we can review marketing policies and grounds for processing data. We can also advise on the additional requirements under the Privacy and Electronic Communications Regulations
GDPR Training for staff
We can tailor our training packages to suit your business needs. Our GDPR compliance solicitors can provide training for general staff awareness of GDPR. Additionally, we can offer specific training for Data Protection Officers, Data Protection Managers and other staff members.
Transparent Price Structure
We always aim to be transparent with our fees. After contact, our data protection experts will talk you through the work to be completed and provide a costing. We will discuss the your organisation requirements including:
- Assessing whether your organisation needs to appoint a Data Protection Officer, and documenting the reasons for the finding
- Data flow mapping
- Data processing activity reports (Article 30 reports)
- Compliance gap reporting (including process improvement recommendations to minimise risk of non-compliance)
- GDPR audits
- Suites of data protection policies, procedures, notices and contracts to cover data breach management, data retention, employee and other privacy notices, data subject access request forms and template data processing agreements
We offer a range of fixed price packages to suit your project and budget. If you are starting from scratch, our prices for getting you up and running with your data protection requirements are very competitive. Our data protection standard package starts from £2,500. This includes a suite of documentation tailored to your business (and any data mapping to start the process). In addition, this fee includes up to two hours of consultancy with an expert.
Data Protection Lawyers - FAQs
Need help understanding the basics of GDPR compliance and data protection? We have put together a handy list of FAQ’s that you may find useful.
What are the GDPR and Data Protection Act 2018?
GDPR stands for the General Data Protection Regulation. The GDPR consists of a set of rules designed to give European citizens more control over their personal data. Organisations have to make sure that personal information is gathered legally and that it is protected from misuse. Penalties and fines can result if personal data is misused. The legislation came into force across the European Union on 25 May 2018. Following Brexit, the GDPR was transcribed into domestic law (and is commonly known as the UK-GDPR) and so it still applies. The GDPR is supplemented by the UK’s domestic Data Protection Act 2018. Together, they set out the various data protection obligations organisations must meet.
GDPR seven key principles
To process data lawfully, organisations must meet the seven data protection principles within the GDPR. The seven principles state the following:
- Data collected should be processed lawfully, fairly and transparently
- Data should be collected only for specified, explicit and legitimate purposes
- Organisations should collect the minimum data that they need
- The data stored should be accurate and, where necessary, kept up-to-date
- The data collected should be kept for no longer than is necessary and then erased
- Data collected should be kept in a secure way. In addition, it should be protected against unlawful processing or accidental loss or damage
- Accountability – the organisation is responsible for, and must be able to demonstrate, compliance with the principles of the GDPR
What is a personal data breach
Personal data breaches are a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This can arise through various means such as:
- Personal data being sent to an incorrect recipient
- Mass e-mails being sent to personal email addresses without blind copying
- Theft of data
- Data security hacks
- Personal data being left unsecured in physical or online form
- Sensitive data being accessed by people unexpectedly
- Loss or corruption of data
When do personal data breaches need to be notified and to whom?
There are two separate thresholds for notifying personal data breaches:
- Breaches need to be notified to the ICO when a breach is likely to result in a risk to individuals’ rights and freedoms
- Breaches need to be notified to individuals when a breach is likely to result in a high risk to their rights and freedoms
What time limits apply to notifying personal data breaches?
Data breaches need to be dealt with promptly. A data breach needs to be reported to the ICO not later than 72 hours after becoming aware of it. There is no set deadline for notifying individuals, but again they must be notified as soon as possible.
Can you sue for breach of data protection?
Individuals can sue for breaches of their data protection rights. This is becoming more common and various group cases are going through the courts. While specific individuals might not be claiming huge amounts of money, in mass litigation (for example if thousands of Claimants are joined) the overall cost of compensation awards can be large. In addition, sizeable fines can be issued to offending organisations.
What requests can individuals make about their data?
The most common request made is a Data Subject Access Request. This allows individuals to request information on personal data processed about them and to ask for a copy of the data. However individuals also have:
- The right to be informed about data that the organisation is keeping
- The right to correct inaccurate data
- The right to erasure (known as the “right to be forgotten”)
- The right to restrict processing
- The right to data portability
- The right to object to processing
- Further rights in relation to automated decision making and profiling
How long do you have to claim or report a privacy breach?
The time limit for bringing a claim to court for a data privacy breach is six years.
However, if initially raising a complaint with the ICO, their guidance
“We will not usually investigate concerns where there has been an undue delay in bringing it to our attention. You should raise your concerns with us within three months of your last meaningful contact with the organisation concerned.”
Data Protection - some recent cases
Our GDPR and data protection solicitors have worked on a wide range of projects. We have worked with companies of all sizes from a variety of industry sectors. Some examples of our work include:
– On-site audit and inspection of data protection policies to keep GDPR compliant
We worked with a global gaming company to carry out an on-site audit and inspection of the client’s day-to-day data protection practices. We reviewed current documentation and interviewed a number of key personnel at the premises. In addition, our GDPR team compiled a practical, user-friendly report. This included areas for improvement and actions that could be taken to ameliorate or eliminate risk.
– Review data transfers between the UK and EU to prepare for a company for Brexit
Our data protection experts carried out a review on a technology company who used and analysed customer data held in car dealerships for the manufacturer. Some dealerships were based in the Republic of Ireland, with the client based in the UK. Therefore, international data transfers were necessary. We reviewed the options available to the client and drafted Standard Contractual Clauses. These were tailored to their transfers, both with the manufacturers and dealerships (prior to a deal on data transfers being reached between the UK and EU). Our team compiled Data Protection Impact Assessments and advised on appropriate safeguards to include in light of Schrems II.
– Data Subject Access Request and ICO Investigation.
We assisted a major logistics company in responding to a Data Subject Access Request made by an ex-employee asking for a huge range of personal data. We compiled the initial responses, including steps taken to ensure the search was reasonable and proportionate. When the employee complained to the ICO, we drafted the responses for the client. In addition, we successfully argued to the ICO that the request had been “manifestly unfounded and excessive”. The ICO agreed with our analysis and no further enforcement action was taken.
More work examples can be found on Piers Leigh-Poillitt's (head of Data Protection) page
“He has got a wealth of knowledge around data protection. His commitment is amazing, absolutely phenomenal” (about Piers Leigh-Pollitt)
Our Data Protection Team
Piers Leigh-Pollitt is an experienced employment lawyer and data privacy specialist, heading the Doyle Clayton Data Privacy team. He is an expert in his field and holds the Practitioner Certificate in Data Protection (GDPR). Piers is ranked by The Legal 500 and Chambers Guide to the UK Legal Profession as Band 1 Leading Individual advising corporates and senior executives. Furthermore, Piers is the firm’s Compliance Officer for Legal Practice. He is also the firms Data Protection Manager, handling all regulatory and internal compliance matters. Experts in the team also include Mike Hibberd, Declan Bradley, Rose Smith and James Morrison
Data Protection Resources
Data Protection Articles
Using personal emails for business purposes - what employers need to know
Covert CCTV recordings in the workplace - advice for employers
Data Protection Webinar
The Data Protection team’s latest webinar is available below guiding employers through the thorny questions arising with health data in light of COVID-19 including –
- What guidance is available from the data privacy watchdog, the ICO?
- For businesses with many visitors (such as pubs and restaurants) how should they collect visitor data and what can they do with it?
- Can employers screen their staff and ask health-related questions?
- What written records must be kept?
- Are employers allowed to process such data?
- Why is health data treated differently to other types of data?
Why choose our Data Protection Solicitors?
- First, our reputation: we are highly rated by the legal directories, Chambers & Partners
- Secondly, we are fortunate to have worked with a wide range of businesses. This has resulted in a highly experienced team of GDPR and data protection experts with a bank of expertise
- Thirdly, communication – clear and straightforward advice from the start. We talk you through your GDPR obligations in plain English and make sure that you understand all your options
Contact Doyle Clayton
If you are looking for GDPR and data protection solicitors we can help. To make contact call us on +44 (0)20 7329 9090 or email us at firstname.lastname@example.org and we will call you. Please leave a message if you can’t get through. We will respond quickly to all enquiries.
Additionally we are happy to advise you by video call. One of our legal team can often advise you on the same day you contact us.