DATA PROTECTION
Services
Data protection affects almost every business in every sector. Regardless of their size, companies must comply with the principles, rights and obligations of the General Data Protection Regulation (GDPR). Navigating your way through the guidance on your own can be a daunting experience and getting it wrong can be a very costly mistake. The issues can be complex and many businesses benefit from specialist support to ensure they are fully compliant.
How we can help:
Our team of data protection solicitors at Jamieson Law are experts in GDPR compliance. We cover all aspects of UK GDPR, EU GDPR and the California Consumer Privacy Act. If you are a UK, Irish, New York or California based business owner, we’re here to advise you.
Starting a new business?
Our GDPR specialists will explain how data protection law affects your business, providing advice that is tailored to your exact needs. We’ll walk you through your obligations, breaking down the process into simple and manageable steps. We will then help you get the right policies, procedures and processes in place. With our support, you and your business will be compliant with all current legislation from the start of your journey.
Already an established business?
If you are an established business, keeping your company’s data protection policies and procedures up to date is essential. Our team of solicitors offer a GDPR health check, carrying out a comprehensive audit of your existing business practices. Taking into account the nature of your business and the type of data you handle; we will identify any areas of weakness or non-compliance. We will then provide you with targeted advice and a plan of action to get you back to full GDPR compliance.
Data protection can seem like an overwhelming subject for many businesses, but it doesn’t have to be. With our support, you’ll be GDPR compliant and set up for success.
For more information on the types of data protection services we offer, explore our bite-sized examples below, or contact us for a free initial consultation.
Registering with the Information Commissioner's Office (if UK based)
What is the Information Commissioner’s Office and why should I be registering with them?
The ICO is the UK’s independent authority which was set up to uphold data and information rights. This office deals with data protection and freedom of information in the UK.
Any organisation or sole trader that processes personal data must register with the ICO and pay a data protection fee (unless exempt). Mostly all businesses process personal data in one way or another, so it is likely you will need to register. This is an annual fee that ranges from £40-£2,900, although it’s likely to be between £40-60.
Take the ICO self-assessment here - https://ico.org.uk/for-organisations/data-protection-fee/
Ensuring the correct clauses are in their contracts
Do I need data protection clauses in my contracts?
It is definitely a good idea to cover this in your contracts (depending on what type of contract you’re talking about; client contracts and employment contracts should almost definitely cover this). This could be a clause in your contract that covers how you process and store data, how long for etc, ensuring to the other party that you are data protection regulation compliant.
Doing regular reviews of their own internal data security procedures
How often should I be reviewing my businesses internal data protection procedures?
These should be reviewed at LEAST once a year, but we’d recommend doing this quarterly. Remember that you need to keep up to date with new requirements and changes that are implemented.
Registering with the Data Protection Commission- (if Ireland based)
What is the Data Protection Commissioner and why should I be registering with them?
The DPC is the Data Protection Commissioner, a national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. Some organisations have to register with the DPC and they are also required to appoint a DPO (Data Protection Officer). Although, not everyone has to register with the DPC. You can check if you need to register here: https://www.dataprotection.ie/
Carrying out due diligence on their data processors
Why do I need to carry out due diligence on my data processors?
Carrying out due diligence checks on data processors is a requirement under GDPR/UK GDPR. This is to guarantee that data processors will implement the appropriate and proper technical and organisational measures to meet data protection requirements.
We can undertake due diligence checks for you, including data security checks, audit requests etc.
Putting data processing agreements in place
What is a Data Processing Agreement?
This is an agreement between the data processor and data controller of a company. The data controller is the person / business who determines the purpose, and the way personal data is processed, and the processor is anyone who processes personal data on behalf of the controller.
GDPR/UK GDPR requires any data processing carried out by a data processor for a data controller should be written in a contract – this contract is the Data Processing Agreement. This regulates the activities of data processors regarding personal data.
Having the right privacy policy and cookies policy in place
Do I need a privacy policy and a cookies policy?
If you have a website and you collect personal information, you need a privacy policy and a cookies policy. All companies processing data of EU or UK citizens need to tell users how their personal data is used. A privacy policy outlines what personal information you are collecting and how you use it. You need to tell website users if you set up cookies and explain what they do.
You need consent from users. This means you need a cookies banner that pops up on your website every time someone visits it.
If you don’t have these policies, it means you are not making your website users aware of how you’ll be using and disclosing their data, which can lead to ICO fines.
Preparing internal GDPR policies
What are internal data protection policies and why do I need them?
Internal data protection policies (or internal GDPR policies as they were previously called) are used to inform an organisations’ staff how the business complies with data protection rules and what steps they need to take to make sure the data is protected.
These are necessary for a number of reasons, including data storage, subject access requests, when personal data IS personal data and when it’s not, who to escalate things to if there is a problem etc.
Data protection affects almost every business in every sector. Regardless of their size, companies must comply with the principles, rights and obligations of the General Data Protection Regulation (GDPR). Navigating your way through the guidance on your own can be a daunting experience and getting it wrong can be a very costly mistake. The issues can be complex and many businesses benefit from specialist support to ensure they are fully compliant.
How we can help:
Our team of data protection solicitors at Jamieson Law are experts in GDPR compliance. We cover all aspects of UK GDPR, EU GDPR and the California Consumer Privacy Act. If you are a UK, Irish, New York or California based business owner, we’re here to advise you.
Starting a new business?
Our GDPR specialists will explain how data protection law affects your business, providing advice that is tailored to your exact needs. We’ll walk you through your obligations, breaking down the process into simple and manageable steps. We will then help you get the right policies, procedures and processes in place. With our support, you and your business will be compliant with all current legislation from the start of your journey.
Already an established business?
If you are an established business, keeping your company’s data protection policies and procedures up to date is essential. Our team of solicitors offer a GDPR health check, carrying out a comprehensive audit of your existing business practices. Taking into account the nature of your business and the type of data you handle; we will identify any areas of weakness or non-compliance. We will then provide you with targeted advice and a plan of action to get you back to full GDPR compliance.
Data protection can seem like an overwhelming subject for many businesses, but it doesn’t have to be. With our support, you’ll be GDPR compliant and set up for success.
For more information on the types of data protection services we offer, explore our bite-sized examples below, or contact us for a free initial consultation.
Registering with the Information Commissioner’s Office (if UK based)
What is the Information Commissioner’s Office and why should I be registering with them?
The ICO is the UK’s independent authority which was set up to uphold data and information rights. This office deals with data protection and freedom of information in the UK.
Any organisation or sole trader that processes personal data must register with the ICO and pay a data protection fee (unless exempt). Mostly all businesses process personal data in one way or another, so it is likely you will need to register. This is an annual fee that ranges from £40-£2,900, although it’s likely to be between £40-60.
Take the ICO self-assessment here - https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/
Registering with the Data Protection Commission- (if Ireland based)
What is the Data Protection Commissioner and why should I be registering with them?
The DPC is the Data Protection Commissioner, a national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. Some organisations have to register with the DPC and they are also required to appoint a DPO (Data Protection Officer). Although, not everyone has to register with the DPC. You can check if you need to register here: https://www.dataprotection.ie/
Having the right privacy policy and cookies policy in place
Do I need a privacy policy and a cookies policy?
If you have a website and you collect personal information, you need a privacy policy and a cookies policy. All companies processing data of EU or UK citizens need to tell users how their personal data is used. A privacy policy outlines what personal information you are collecting and how you use it. You need to tell website users if you set up cookies and explain what they do.
You need consent from users. This means you need a cookies banner that pops up on your website every time someone visits it.
If you don’t have these policies, it means you are not making your website users aware of how you’ll be using and disclosing their data, which can lead to ICO fines.
Ensuring the correct clauses are in their contracts
Do I need data protection clauses in my contracts?
It is definitely a good idea to cover this in your contracts (depending on what type of contract you’re talking about; client contracts and employment contracts should almost definitely cover this). This could be a clause in your contract that covers how you process and store data, how long for etc, ensuring to the other party that you are data protection regulation compliant.
Carrying out due diligence on their data processors
Why do I need to carry out due diligence on my data processors?
Carrying out due diligence checks on data processors is a requirement under GDPR/UK GDPR. This is to guarantee that data processors will implement the appropriate and proper technical and organisational measures to meet data protection requirements.
We can undertake due diligence checks for you, including data security checks, audit requests etc.
Doing regular reviews of their own internal data security procedures
How often should I be reviewing my businesses internal data protection procedures?
These should be reviewed at LEAST once a year, but we’d recommend doing this quarterly. Remember that you need to keep up to date with new requirements and changes that are implemented.
Preparing internal GDPR policies
What are internal data protection policies and why do I need them?
Internal data protection policies (or internal GDPR policies as they were previously called) are used to inform an organisations’ staff how the business complies with data protection rules and what steps they need to take to make sure the data is protected.
These are necessary for a number of reasons, including data storage, subject access requests, when personal data IS personal data and when it’s not, who to escalate things to if there is a problem etc.
Putting data processing agreements in place
What is a Data Processing Agreement?
This is an agreement between the data processor and data controller of a company. The data controller is the person / business who determines the purpose, and the way personal data is processed, and the processor is anyone who processes personal data on behalf of the controller.
GDPR/UK GDPR requires any data processing carried out by a data processor for a data controller should be written in a contract – this contract is the Data Processing Agreement. This regulates the activities of data processors regarding personal data.
FOLLOW
UK office: G2, 2 Milverton Grange, Glasgow G46 7AU
Ireland office: Cushenstown, Garristown, Meath A42 FY83
