Data Protection Solicitors
Ensuring data is used properly and fairly
The protection of personal data should be a key consideration for your business. Failure to comply with data protection legislation could result in enormous fines, litigation, and reputational damage.
We can assist your business in ensuring you are meeting the data obligation protections owed to clients, third parties, employees, and anyone else whose data you process.
Data protection law sets out what should be done to ensure everyone's data is used properly and fairly. We have a team of data protection experts from our commercial contract law, employment law, and dispute resolution teams who can analyse your business processes to ensure you are fully compliant, helping you minimise risk.
We can assist with:
- Producing client-facing data protection policies and privacy notices.
- Producing employee-facing protection policies and privacy notices.
- Advising on retention periods for personal data and drafting retention policies.
- Providing bespoke advice and policies for particular types of data processing (for example, drafting CCTV and DBS check policies).
- Delivering bespoke training to staff on data protection issues and compliance.
- Advice on data protection impact assessments, and the issues you should consider.
- Advising on compliance with data subject access requests (including those made by third parties, clients, employees or former employees).
- Advising on data subject enforcement of other data protection rights (for example, requiring the correction of personal data).
- Advising on reporting to the Information Commissioner's Office (ICO).
- Defending litigation for breach of personal data obligations.
We also have experience in dealing with the Information Commissioner's Office (ICO) when there has been a complaint or an alleged data breach.
You will likely require other advice when considering data protection. We offer a holistic approach to all areas of commercial law, including contracts, intellectual property, employment, disputes, and franchising.
Request legal advice on data protection
What is data protection?
Personal data refers to information relating to a living individual where the individual is identifiable. Special category personal data is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used for identification purposes), health, sex life and sexual orientation. Additional rights and protections attach to processing special category personal data.
In the UK, data protection is governed by the UK GDPR (General Data Protection Regulation) and the DPA (Data Protection Act) 2018, which should be read together. All organisations in the UK that process personal data must comply with these laws or risk fines of up to £17.5 million or 4% of annual global turnover – whichever is greater and/or other potential sanctions.
Organisations that send electronic marketing messages, use website cookies, or provide electronic communications services to the public must also comply with PECR (Privacy and Electronic Communications Regulations).
The data protection legislation gives individuals rights as to how their personal data is used and puts rules and limitations on what companies can do with the personal data it holds.
Compliance with data protection laws
Compliance with data protection laws is key, but not only because of the risk of financial and other consequences in the event of a breach - good data management saves your business time and also demonstrates to people that you care about treating their personal data with respect. People have never been so aware of how their data is used (and misused).
Data protection impact assessments
A data protection impact assessment (DPIA) is a process to help you identify and minimise the data protection risks of a specific project. This process must be carried out if an activity is likely to result in a high risk to individuals and their data - but it's good practice to do a DPIA for any project that involves the processing of personal data because it demonstrates accountability and increases the awareness of data protection issues within your organisation.
A DPIA should describe the nature, scope, context and purposes of the processing, as well as identifying measures to mitigate risks. An effective DPIA allows you to identify and fix problems at an early stage, bringing broader benefits for both individuals and your organisation.
We can assist in advising on when you may need a DPIA, and what issues you should consider when producing one.
Data sharing agreements
Whilst not mandatory, we encourage our clients to use data sharing agreements. These arrangements implemented between two controllers describe the purpose of the data sharing and explicitly set out what happens to the data at each stage.
Having a data sharing agreement in place helps you and your business demonstrate that you are mindful of the importance of protecting personal data. It's a way to help all parties involved understand their roles in the sharing of data - and the expected standards.
Data processing agreements
A data processing agreement, or a DPA, is an agreement between a data controller, such as a company, and a data processor, such as a third party service provider. Whenever a controller uses a processor, there must be a written contract in place. Similarly, if a processor uses another organisation (a sub-processor) to help it process personal data for a controller, it needs to have a written contract in place with that sub-processor.
Such contracts ensure that both parties understand their obligations, responsibilities and liabilities. The data protection laws set out mandatory clauses to be included in data processing agreements.
Policy documentation
We can provide invaluable guidance in either evaluating existing data protection policy documentation or drafting new documentation from scratch.
We can help with data protection policies, privacy notices, data retention policies and data breach policies, whether for processing third party client data, or processing employee or worker data.
Data breaches
A data breach occurs when a breach of security leads to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data. For example, this could include personal data being accessed by an unauthorised third party, data being sent to the wrong person or computers containing personal data being stolen.
Data breaches can lead to not only severe financial penalties, but also significant reputational damage.
When a data breach occurs, you are obliged to notify the ICO of a breach if it is likely to result in a risk to the rights and freedoms of individuals.
We can support and guide businesses through their reporting obligations, dealing with a data breach and taking preventative action to avoid repeated data breaches.
Subject access requests
Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is known as a subject access request. The request can be made either verbally or in writing and requests are increasingly being made when a dispute has already arisen.
We can advise on how to comply with a Data Subject Access Request, what data falls within the scope of the request, the scope of any search, how best to supply the data and advice on redaction. We can also assist with correspondence to the Data Subject about how the request has been complied with.
Why choose us as your data protection solicitors
Data protection is a hugely important issue for businesses and should be treated as a priority. Getting it wrong can have catastrophic consequences, both financially and from a reputational perspective.
Working with the best data protection experts will ensure that you have taken every reasonable step to comply with the law.
We work for a broad range of businesses and sectors, right from small owner-managed operations through to large multi-nationals. As a skilled multi-disciplinary practice, we can call on our colleagues in other teams with complementary knowledge in areas such as commercial law and disputes, meaning you will only need to engage with one firm.
Meet the data protection team
Katherine Cooke
Senior Associate - Employment Law
Emily Blakemore
Associate - Commercial Litigation
Laura Pearson
Principal Associate - Commercial
