DATA PROTECTION

Services

Data Protection Icon

Registering with the Information Commissioner's Office (if UK based)

What is the Information Commissioner’s Office and why should I be registering with them?

The ICO is the UK’s independent authority which was set up to uphold data and information rights. This office deals with data protection and freedom of information in the UK.

Any organisation or sole trader that processes personal data must register with the ICO and pay a data protection fee (unless exempt). Mostly all businesses process personal data in one way or another, so it is likely you will need to register. This is an annual fee that ranges from £40-£2,900, although it’s likely to be between £40-60.

Take the ICO self-assessment here - https://ico.org.uk/for-organisations/data-protection-fee/

Data Protection Icon

Ensuring the correct clauses are in their contracts

Do I need data protection clauses in my contracts?

It is definitely a good idea to cover this in your contracts (depending on what type of contract you’re talking about; client contracts and employment contracts should almost definitely cover this). This could be a clause in your contract that covers how you process and store data, how long for etc, ensuring to the other party that you are data protection regulation compliant.

Data Protection Icon

Doing regular reviews of their own internal data security procedures

How often should I be reviewing my businesses internal data protection procedures?

These should be reviewed at LEAST once a year, but we’d recommend doing this quarterly. Remember that you need to keep up to date with new requirements and changes that are implemented.

Data Protection Icon

Registering with the Data Protection Commission- (if Ireland based)

What is the Data Protection Commissioner and why should I be registering with them?

The DPC is the Data Protection Commissioner, a national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. Some organisations have to register with the DPC and they are also required to appoint a DPO (Data Protection Officer). Although, not everyone has to register with the DPC. You can check if you need to register here: https://www.dataprotection.ie/

Data Protection Icon

Carrying out due diligence on their data processors

Why do I need to carry out due diligence on my data processors?

Carrying out due diligence checks on data processors is a requirement under GDPR/UK GDPR. This is to guarantee that data processors will implement the appropriate and proper technical and organisational measures to meet data protection requirements.

We can undertake due diligence checks for you, including data security checks, audit requests etc.

Data Protection Icon

Putting data processing agreements in place

What is a Data Processing Agreement?

This is an agreement between the data processor and data controller of a company. The data controller is the person / business who determines the purpose, and the way personal data is processed, and the processor is anyone who processes personal data on behalf of the controller. 

GDPR/UK GDPR requires any data processing carried out by a data processor for a data controller should be written in a contract – this contract is the Data Processing Agreement. This regulates the activities of data processors regarding personal data.

Data Protection Icon

Having the right privacy policy and cookies policy in place

Do I need a privacy policy and a cookies policy?

If you have a website and you collect personal information, you need a privacy policy and a cookies policy. All companies processing data of EU or UK citizens need to tell users how their personal data is used. A privacy policy outlines what personal information you are collecting and how you use it. You need to tell website users if you set up cookies and explain what they do. 

You need consent from users. This means you need a cookies banner that pops up on your website every time someone visits it.

If you don’t have these policies, it means you are not making your website users aware of how you’ll be using and disclosing their data, which can lead to ICO fines.

Data Protection Icon

Preparing internal GDPR policies

What are internal data protection policies and why do I need them?

Internal data protection policies (or internal GDPR policies as they were previously called) are used to inform an organisations’ staff how the business complies with data protection rules and what steps they need to take to make sure the data is protected.

These are necessary for a number of reasons, including data storage, subject access requests, when personal data IS personal data and when it’s not, who to escalate things to if there is a problem etc.

DATA PROTECTION

Services

Data Protection Icon

Registering with the Information Commissioner’s Office (if UK based)

What is the Information Commissioner’s Office and why should I be registering with them?

The ICO is the UK’s independent authority which was set up to uphold data and information rights. This office deals with data protection and freedom of information in the UK.

Any organisation or sole trader that processes personal data must register with the ICO and pay a data protection fee (unless exempt). Mostly all businesses process personal data in one way or another, so it is likely you will need to register. This is an annual fee that ranges from £40-£2,900, although it’s likely to be between £40-60.

Take the ICO self-assessment here - https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/ 

Data Protection Icon

Registering with the Data Protection Commission- (if Ireland based)

What is the Data Protection Commissioner and why should I be registering with them?

The DPC is the Data Protection Commissioner, a national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. Some organisations have to register with the DPC and they are also required to appoint a DPO (Data Protection Officer). Although, not everyone has to register with the DPC. You can check if you need to register here: https://www.dataprotection.ie/

Data Protection Icon

Having the right privacy policy and cookies policy in place

Do I need a privacy policy and a cookies policy?

If you have a website and you collect personal information, you need a privacy policy and a cookies policy. All companies processing data of EU or UK citizens need to tell users how their personal data is used. A privacy policy outlines what personal information you are collecting and how you use it. You need to tell website users if you set up cookies and explain what they do. 

You need consent from users. This means you need a cookies banner that pops up on your website every time someone visits it.

If you don’t have these policies, it means you are not making your website users aware of how you’ll be using and disclosing their data, which can lead to ICO fines.

Data Protection Icon

Ensuring the correct clauses are in their contracts

Do I need data protection clauses in my contracts?

It is definitely a good idea to cover this in your contracts (depending on what type of contract you’re talking about; client contracts and employment contracts should almost definitely cover this). This could be a clause in your contract that covers how you process and store data, how long for etc, ensuring to the other party that you are data protection regulation compliant.

Data Protection Icon

Carrying out due diligence on their data processors

Why do I need to carry out due diligence on my data processors?

Carrying out due diligence checks on data processors is a requirement under GDPR/UK GDPR. This is to guarantee that data processors will implement the appropriate and proper technical and organisational measures to meet data protection requirements.

We can undertake due diligence checks for you, including data security checks, audit requests etc.

Data Protection Icon

Doing regular reviews of their own internal data security procedures

How often should I be reviewing my businesses internal data protection procedures?

These should be reviewed at LEAST once a year, but we’d recommend doing this quarterly. Remember that you need to keep up to date with new requirements and changes that are implemented.

Data Protection Icon

Preparing internal GDPR policies

What are internal data protection policies and why do I need them?

Internal data protection policies (or internal GDPR policies as they were previously called) are used to inform an organisations’ staff how the business complies with data protection rules and what steps they need to take to make sure the data is protected.

These are necessary for a number of reasons, including data storage, subject access requests, when personal data IS personal data and when it’s not, who to escalate things to if there is a problem etc.

Data Protection Icon

Putting data processing agreements in place

What is a Data Processing Agreement?

This is an agreement between the data processor and data controller of a company. The data controller is the person / business who determines the purpose, and the way personal data is processed, and the processor is anyone who processes personal data on behalf of the controller. 

GDPR/UK GDPR requires any data processing carried out by a data processor for a data controller should be written in a contract – this contract is the Data Processing Agreement. This regulates the activities of data processors regarding personal data.

FREQUENTLY ASKED QUESTION ABOUT

Data Protection

In a nutshell, data protection (and the legislation governing it) controls how your business / organisation uses personal information. Everyone who uses personal data has to follow ‘data protection principles’:

  • Ensuring the data is used fairly, lawfully, and transparently
  • It is used for specified, explicit purposes
  • The data is accurate and, where necessary, kept up to date
  • It is kept no longer than is necessary 
  • It is used in a way that is adequate, relevant, and limited to only what is necessary
  • It is handled in a way that ensures appropriate security.

Personal data covers things like first name and surname, home address, a personal email, location data, IP addresses etc.

The DPA 2018 governs data protection in the UK. You’ve probably heard of GDPR - well this is an EU law that the UK implemented via the DPA 2018. The DPA 2018 is essentially the UK’s version of GDPR.

GDPR is an EU law on data protection and privacy. The UK implemented GDPR into its own domestic law via the DPA 2018. GDPR is known as ‘the toughest privacy security law in the world’ due to its stringent rules and regulations relating to collecting and processing of data in the EU.

Since the end of the Brexit transition period when the UK left the EU, GDPR does now not apply in the UK. Although GDPR doesn’t apply, the DPA 2018 already contains GDPR requirements, rights, and obligations post-Brexit, meaning not much has to change for UK businesses from this perspective.

Until recently, the UK was awaiting an ‘adequacy decision’ from the European Commission, which would essentially allow personal data to continue to flow freely from the EU to the UK. The UK has now been deemed adequate, so this personal data can continue to flow.

It most likely is legit (although if you aren’t sure, always get in contact with the ICO or check their website). The ICO go through Companies House to see who has and who hasn’t registered with them, so if you’ve received a letter despite having been running your business for a while, this is why.

Data protection breaches are some of the most common pitfalls for businesses, and the fines can be pretty hefty. 

The UK DPA 2018 set a maximum fine of £17.5 million, or 4% of annual global turnover (whichever is greater).

Under EU GDPR, the maximum fine is €20 million or 4% annual global turnover.

This is California’s Data Protection Regulation. California brought in similar rules to GDPR in 2018, known by its short name as the ‘CCPA’. (It’s not as strict as GDPR - think of it as ‘Baby GDPR’!). If you are based in California, or could have clients in California, it’s important you consider this too.

UK office: G2, 2 Milverton Grange, Glasgow G46 7AU
Ireland office: Cushenstown, Garristown, Meath A42 FY83

Scroll to Top