GDPR and Data Protection Solicitors
Legal Advice on GDPR and data protection issues – London & UK
What is GDPR?
The General Data Protection Regulation (“GDPR”) came into effect in 2018 and is a data privacy and security law which sets many requirements of organisations. Employers must manage and securely store employee data to ensure compliance, with a breach of regulation potentially resulting in a fine or prosecution. Following Brexit, the GDPR has been incorporated directly into UK domestic law as the UK GDPR.
How can we support you?
Our data protection solicitors can support you to navigate this complex area of law. We work with a variety of businesses, ranging from start-ups to multinational organisations, across multiple industry sectors, meaning we have the relevant knowledge and experience to assist you, whether you require advice on data breaches or handling overseas data transfers.
Our services are also available to private individuals, but it is important to note that compensation awards, made by the courts for claims brought by individuals, tend to be small (commonly under £1,000) and so may not cover the costs of instructing us. Please also note that we do not offer any “no win, no fee”, or similar arrangements, for data protection litigation work (which includes pre-litigation correspondence and advice about disputes).
We advise clients on a wide range of data protection issues, including:
- Handling data subject access requests (SAR/DSAR)
- Handling and reporting data privacy breaches
- Challenges made to the Information Commissioner’s Office (ICO) by employees and other data subjects
- Employee monitoring and surveillance of staff (physically on site and online)
- Employee screening and background checks (including criminal records checks)
- Drafting and reviewing data protection documentation
- Data Protection Impact Assessments (DPIAs) for high-risk processing
- Overseas data transfers (both outside the UK and the EEA)
- Data protection obligations under the GDPR
- Data retention and the destruction of records
- Handling complaints from individuals and regulators
- Advice on best marketing practice under the Privacy and Electronic Communications Regulations
Data protection training for staff
We also offer staff training, and tailor our packages to suit your business needs. We can provide training for general awareness or specific training for Data Protection Officers, Data Protection Managers, and other staff members.
Transparent price structure
We always aim to be transparent with our fees and offer a range of fixed price packages to suit your project and budget. After contact, our data protection experts will talk you through the work to be
completed and provide a costing, during which we will discuss the requirements of your organisation, including:
- Assessing whether your organisation needs to appoint a Data Protection Officer, and documenting the reasons for the finding
- Data flow mapping
- Data processing activity reports (Article 30 reports)
- Compliance gap reporting (including process improvement recommendations to minimise risk of non-compliance)
- GDPR audits
- Suites of data protection policies, procedures, notices and contracts to cover data breach management, data retention, employee and other privacy notices, data subject access request forms and template data processing agreements
Data Protection Lawyers - FAQs
Need help understanding the basics of GDPR compliance and data protection? We have put together a handy list of FAQ’s that you may find useful.
What are the GDPR and Data Protection Act 2018?
GDPR stands for the General Data Protection Regulation. The GDPR consists of a set of rules designed to give European citizens more control over their personal data. Organisations have to make sure that personal information is gathered legally and that it is protected from misuse. Penalties and fines can result if personal data is misused. The legislation came into force across the European Union on 25 May 2018. Following Brexit, the GDPR was transcribed into domestic law (and is commonly known as the UK-GDPR) and so it still applies. The GDPR is supplemented by the UK’s domestic Data Protection Act 2018. Together, they set out the various data protection obligations organisations must meet.
GDPR seven key principles
To process data lawfully, organisations must meet the seven data protection principles within the GDPR. The seven principles state the following:
- Data collected should be processed lawfully, fairly and transparently
- Data should be collected only for specified, explicit and legitimate purposes
- Organisations should collect the minimum data that they need
- The data stored should be accurate and, where necessary, kept up-to-date
- The data collected should be kept for no longer than is necessary and then erased
- Data collected should be kept in a secure way. In addition, it should be protected against unlawful processing or accidental loss or damage
- Accountability – the organisation is responsible for, and must be able to demonstrate, compliance with the principles of the GDPR
What is a personal data breach
Personal data breaches are a breach of security, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This can arise through various means such as:
- Personal data being sent to an incorrect recipient
- Mass e-mails being sent to personal email addresses without blind copying
- Theft of data
- Data security hacks
- Personal data being left unsecured in physical or online form
- Sensitive data being accessed by people unexpectedly
- Loss or corruption of data
When do personal data breaches need to be notified and to whom?
There are two separate thresholds for notifying personal data breaches:
- Breaches need to be notified to the ICO when a breach is likely to result in a risk to individuals’ rights and freedoms
- Breaches need to be notified to individuals when a breach is likely to result in a high risk to their rights and freedoms
What time limits apply to notifying personal data breaches?
Data breaches need to be dealt with promptly. A data breach needs to be reported to the ICO not later than 72 hours after becoming aware of it. There is no set deadline for notifying individuals, but again they must be notified as soon as possible.
Can you sue for breach of data protection?
Individuals can sue for breaches of their data protection rights. This is becoming more common and various group cases are going through the courts. While specific individuals might not be claiming huge amounts of money, in mass litigation (for example if thousands of Claimants are joined) the overall cost of compensation awards can be large. In addition, sizeable fines can be issued to offending organisations.
What requests can individuals make about their data?
The most common request made is a Data Subject Access Request. This allows individuals to request information on personal data processed about them and to ask for a copy of the data. However individuals also have:
- The right to be informed about data that the organisation is keeping
- The right to correct inaccurate data
- The right to erasure (known as the “right to be forgotten”)
- The right to restrict processing
- The right to data portability
- The right to object to processing
- Further rights in relation to automated decision making and profiling
How long do you have to claim or report a privacy breach?
The time limit for bringing a claim to court for a data privacy breach is six years.
However, if initially raising a complaint with the ICO, their guidance
“We will not usually investigate concerns where there has been an undue delay in bringing it to our attention. You should raise your concerns with us within three months of your last meaningful contact with the organisation concerned.”
Data protection - some recent cases
Our GDPR and data protection solicitors have worked on a wide range of projects. We have worked with companies of all sizes from a variety of industry sectors. Some examples of our work include:
– On-site audit and inspection of data protection policies to keep GDPR compliant
We worked with a global gaming company to carry out an on-site audit and inspection of the client’s day-to-day data protection practices. We reviewed current documentation and interviewed a number of key personnel at the premises. In addition, our GDPR team compiled a practical, user-friendly report. This included areas for improvement and actions that could be taken to ameliorate or eliminate risk.
– Review data transfers between the UK and EU to prepare for a company for Brexit
Our data protection experts carried out a review on a technology company who used and analysed customer data held in car dealerships for the manufacturer. Some dealerships were based in the Republic of Ireland, with the client based in the UK. Therefore, international data transfers were necessary. We reviewed the options available to the client and drafted Standard Contractual Clauses. These were tailored to their transfers, both with the manufacturers and dealerships (prior to a deal on data transfers being reached between the UK and EU). Our team compiled Data Protection Impact Assessments and advised on appropriate safeguards to include in light of Schrems II.
– Data Subject Access Request and ICO Investigation.
We assisted a major logistics company in responding to a Data Subject Access Request made by an ex-employee asking for a huge range of personal data. We compiled the initial responses, including steps taken to ensure the search was reasonable and proportionate. When the employee complained to the ICO, we drafted the responses for the client. In addition, we successfully argued to the ICO that the request had been “manifestly unfounded and excessive”. The ICO agreed with our analysis and no further enforcement action was taken.
More work examples can be found on Piers Leigh-Poillitt's (head of Data Protection) page
“He has got a wealth of knowledge around data protection. His commitment is amazing, absolutely phenomenal” (about Piers Leigh-Pollitt)
Our data protection team
Piers Leigh-Pollitt is an experienced employment lawyer and data privacy specialist, heading the Doyle Clayton Data Privacy team. He is an expert in his field and holds the Practitioner Certificate in Data Protection (GDPR). Piers is ranked by The Legal 500 and Chambers Guide to the UK Legal Profession as Band 1 Leading Individual advising corporates and senior executives. Furthermore, Piers is the firm’s Compliance Officer for Legal Practice. He is also the firms Data Protection Manager, handling all regulatory and internal compliance matters. Experts in the team also include Mike Hibberd, Declan Bradley, Rose Smith and James Morrison
Data protection resources
Using personal emails for business purposes - what employers need to know
Covert CCTV recordings in the workplace - advice for employers
Data protection webinar
The Data Protection team’s latest webinar is available below guiding employers through the thorny questions arising with health data in light of COVID-19 including –
- What guidance is available from the data privacy watchdog, the ICO?
- For businesses with many visitors (such as pubs and restaurants) how should they collect visitor data and what can they do with it?
- Can employers screen their staff and ask health-related questions?
- What written records must be kept?
- Are employers allowed to process such data?
- Why is health data treated differently to other types of data?
Why choose our Data Protection Solicitors?
- First, our reputation: we are highly rated by the legal directories, Chambers & Partners
- Secondly, we are fortunate to have worked with a wide range of businesses. This has resulted in a highly experienced team of GDPR and data protection experts with a bank of expertise
- Thirdly, communication – clear and straightforward advice from the start. We talk you through your GDPR obligations in plain English and make sure that you understand all your options
Contact Doyle Clayton
If you are looking for GDPR and data protection solicitors we can help. To make contact call us on +44 (0)20 7329 9090 or email us at email@example.com and we will call you. Please leave a message if you can’t get through. We will respond quickly to all enquiries.
Additionally we are happy to advise you by video call. One of our legal team can often advise you on the same day you contact us.