Data protection advice
All businesses in the United Kingdom, that handle personal data, have to comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. As a result, it is vital that companies obtain advice from specialist data protection solicitors to ensure that they are GDPR compliant.
Need advice? Contact us to find out how we can help
Read all about it! Click here to view our latest blogs
How our solicitors can assist with GDPR compliance
At Nelsons, our expert team of solicitors in Derby, Leicester and Nottingham work with businesses to put the best data protection systems in place to comply with the GDPR. We work closely with our clients to best gauge their business, providing bespoke and tailored advice relevant to their commercial situation and strategic aims for the future.
Our solicitors draft detailed compliance policies setting out a business’ attitude to the GDPR and the steps that need to be taken to properly collect, store and safeguard relevant data. We can undertake a GDPR Audit to ascertain where a business currently stands. Following this, we are then able to provide advice on a compliance strategy, which includes the policies and procedures that will need to be put in place to evidence compliance.
Our team is also able to advise on the day-to-day data protection issues that may arise, such as how to deal with any Subject Access Requests (SAR/DSAR). Our team also has prior experience in dealing with the UK’s data protection regulator, the Information Commissioner’s Office (ICO), on behalf of our clients.
Our solicitors are recommended by the independently-researched publication, The Legal 500, as being one of the top teams of specialists in the country.
Testimonials…
For more information about our GDPR / data protection services for businesses, contact our team of solicitors in Derby, Leicester or Nottingham via our online form or call 0800 024 1976 for a guaranteed response.
GDPR – Key points to consider
-
Valid consent to using personal data
The requirements for consent were tightened with the introduction of the GDPR. Clear positive consent is now required. Silence or pre-ticked boxes on your website no longer constitute valid consent from a customer.
You also have to give the customer the right to withdraw their consent at any time. This means that you should allow your customer the right to withdraw consent using the same method that was used to obtain it in the first instance.
-
Special categories of personal data
Most businesses are already familiar with the concept of ‘sensitive data’ from the previous data protection legislation. ‘Sensitive data’ includes information concerning racial or ethnic origin and health generally. There are other categories of information too, including genetic and biometric data.
-
Governance
Obligations are now imposed on you to show that you have considered and integrated compliance measures into your day to day practices. This may mean adopting appropriate data protection policies, staff training and appointing a data protection officer. Importantly, you now have to prove you comply with your obligations under the GDPR by keeping appropriate records.
In a significant departure from previous legislation, the GDPR requires you to have formal contracts with any service providers who process personal data on your behalf – and ensure they comply with their obligations under the GDPR. Equally, if you are processing data on behalf of a third party, the GDPR places specific legal obligations on you and makes you liable for breaches that you are responsible for.
-
Right to erasure
More commonly known as the ‘right to be forgotten’, allows data subjects the right to have their personal data erased in specific circumstances – such as where the personal data is no longer necessary for the purpose for which it was originally collected or processed.
-
Data breach notification
If you accidentally or unlawfully destroy, lose, alter, disclose, or give access to, personal data a requirement to notify the ICO will be triggered depending on the nature of the breach. You may be tempted not to notify to avoid any bad publicity, however, failure to notify risks an administrative fine of up to €10,000,000 or two per cent of the total worldwide annual turnover in the preceding year – whichever is higher.
For the most serious breaches, the penalty is doubled to €20m or four per cent of total worldwide revenues.